CVE-2023-1425

HIGH

WordPress CRM <2.7.9.4 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-1425. PoCs published by certuscyber.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2023-1425, demonstrating a UNION-based SQL Injection vulnerability in the WordPress YAWPP plugin. The PoC includes authentication, payload injection, and data exfiltration steps.

Description

The WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg WordPress plugin before 2.7.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins

Exploits (1)

github WORKING POC 3 stars

by certuscyber · pythonpoc

https://github.com/certuscyber/cve-pocs/tree/main/CVE-2023-1425

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2023-1425, demonstrating a UNION-based SQL Injection vulnerability in the WordPress YAWPP plugin. The PoC includes authentication, payload injection, and data exfiltration steps.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress YAWPP plugin <= 1.2

Auth required

Prerequisites: WordPress installation with YAWPP plugin · Contributor or higher role credentials

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/578f4179-e7be-4963-9379-5e694911b451

Scores

CVSS v3 7.2

EPSS 0.0085

EPSS Percentile 53.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

Status published

Products (1)

groundhogg/groundhogg < 2.7.9.4

Published Apr 10, 2023

Tracked Since Feb 18, 2026