CVE-2026-40727: WordPress Groundhogg plugin <= 4.4 - Arbitrary File Deletion vulnerability
Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions.
Metrics
- CVSS v3.1
- 7.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An arbitrary file deletion vulnerability affects the Groundhogg WordPress plugin at version 4.4 and below. It is reachable over the network by any authenticated user holding a Sales Representative role, with no additional interaction required, and carries a scope-changing impact that can disrupt the hosting environment beyond the plugin itself. Successful exploitation allows an attacker to delete arbitrary files on the server, which can corrupt the application, destroy data, or take down the site entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as the upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack feed, within minutes of publication and matched against customer images in registries and CI/CD pipelines. Coverage extends to custom-built images that bundle the Groundhogg plugin alongside a WordPress installation.
AvailableHarborGuard scores this finding at 7.7 HIGH using the published CVSS v3.1 vector and weights it against each customer organization's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer environment based on configured ownership rules.
AvailableBecause no fix version has been published yet, HarborGuard re-checks the Patchstack and upstream Groundhogg advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically once a fix version is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS.
- AuthenticationRequired
A low-privilege account with the Sales Representative role is sufficient; no administrator credentials are needed.
- Victim interactionNot required
No action by another user or administrator is needed to complete the attack.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental timing.
Blast Radius
- Deletes arbitrary files on the web server, including WordPress core files, plugin files, or uploaded content.
- Corrupts the application to the point of a complete site outage, affecting all visitors and authenticated users.
- The scope-changed impact (S:C) means file deletion can reach beyond the WordPress installation itself, potentially affecting other applications or services sharing the same filesystem.
- Deleted configuration or credential files may expose sensitive data stored in those files or enable follow-on attacks.
How HarborGuard Handles This
Available on HarborGuard: images containing Groundhogg at version 4.4 or below are flagged immediately upon CVE ingestion and surfaced in the affected customer environment's findings queue with a HIGH severity rating. Because no upstream fix has been published as of the CVE publication date, HarborGuard monitors the Patchstack advisory and the Groundhogg release feed on every ingest cycle. As a compensating control, customers can use network policy to restrict outbound and inbound access to the WordPress admin surface and apply role-based access controls to limit who can be assigned the Sales Representative role. For customers with auto-remediation enabled, a patched-image rebuild, regression test run, and PR against affected workloads will trigger automatically the moment an upstream fix version is published, with no manual intervention required.
- Groundhogg / Groundhogg≤ 4.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H