CVE-2023-2715

Name of the Vulnerable Software and Affected Versions Groundhogg plugin for WordPress versions up to, and including, 2.7.9.8

Description The issue is due to a missing capability check on the submit ticket function, allowing authenticated attackers to create a support ticket that sends the website's data to the plugin developer. It is also possible to create an admin access with an auto login link that is sent to the plugin developer with the ticket. This only works if the plugin is activated with a valid license.

Recommendations For versions up to, and including, 2.7.9.8, update to a version higher than 2.7.9.8 to resolve the issue. As a temporary workaround, consider disabling the submit ticket function until a patch is available. Restrict access to the plugin's support ticket functionality to minimize the risk of exploitation.