CVE-2023-2736

Name of the Vulnerable Software and Affected Versions Groundhogg plugin for WordPress versions up to, and including, 2.7.9.8

Description The issue is due to missing nonce validation in the ajax edit contact function, making it possible for authenticated attackers to elevate verified user privileges via a forged request. This can be achieved by tricking a site administrator into performing an action, such as clicking on a link, after receiving the auto login link via shortcode and modifying the assigned user.

Recommendations For versions up to, and including, 2.7.9.8, consider disabling the ajax edit contact function until a patch is available to prevent exploitation. Restrict access to the auto login link via shortcode to minimize the risk of elevation of privileges. Avoid using the auto login link feature until the issue is resolved.