Skip to main content

Geo Mashup CVE-2026-4061

| EUVDEUVD-2026-26779 HIGH
SQL Injection (CWE-89)
2026-05-02 Wordfence
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 12:31 vuln.today
EUVD ID Assigned
May 02, 2026 - 12:00 euvd
EUVD-2026-26779
Analysis Generated
May 02, 2026 - 12:00 vuln.today
CVE Published
May 02, 2026 - 11:16 nvd
HIGH 7.5

DescriptionCVE.org

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the SearchResults hook explicitly calling stripslashes_deep($_POST) which removes WordPress magic quotes protection, followed by the unsanitized map_post_type value being concatenated into an IN(...) clause without esc_sql() or $wpdb->prepare(). The 'any' branch of the same code correctly applies array_map('esc_sql', ...), but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.

AnalysisAI

Time-based blind SQL injection in Geo Mashup WordPress plugin allows unauthenticated remote attackers to extract database contents when Geo Search is enabled. The vulnerability stems from explicit removal of WordPress's built-in magic quotes protection via stripslashes_deep($_POST), combined with failure to sanitize the map_post_type parameter before SQL concatenation in an IN() clause. EPSS data not provided. No CISA KEV listing indicates this is not yet confirmed as actively exploited. Public exploit code status unknown, though detailed code references in Wordfence advisory provide clear exploitation path. Patch released in changeset 3503627.

Technical ContextAI

This is a classic SQL injection (CWE-89) in a WordPress plugin context. WordPress core historically applied 'magic quotes' to sanitize user input, but many plugins including Geo Mashup explicitly strip these protections using stripslashes_deep() for processing flexibility. The vulnerability occurs in the SearchResults hook where the map_post_type POST parameter is used to build a SQL IN() clause. The code contains a conditional branch: when map_post_type equals 'any', the plugin correctly applies array_map('esc_sql', ...) to sanitize values. However, the else branch directly concatenates unsanitized input without using WordPress's esc_sql() function or $wpdb->prepare() parameterized queries. This allows attackers to inject SQL commands. The time-based blind approach mentioned means attackers use SQL time delay functions (like SLEEP() in MySQL) to infer data one bit at a time by measuring response times, working around the lack of direct error messages or visible output.

RemediationAI

Upgrade Geo Mashup to version 1.13.19 or later, which contains the fix delivered in WordPress plugin changeset 3503627 (https://plugins.trac.wordpress.org/changeset/3503627/). The patch properly sanitizes the map_post_type parameter in the else branch to match the security controls already present in the 'any' branch. If immediate patching is not feasible, disable the Geo Search feature in the plugin's settings as a temporary compensating control-this eliminates the vulnerable code path entirely but removes geolocation search functionality from the site. Alternatively, implement Web Application Firewall (WAF) rules to inspect POST requests to WordPress endpoints for SQL injection patterns targeting the map_post_type parameter, specifically looking for SQL metacharacters, time-delay functions (SLEEP, BENCHMARK), or comment sequences, though this may generate false positives and requires ongoing rule tuning. Review database access logs for unusual query patterns or time-delayed responses that might indicate exploitation attempts prior to patching.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4061 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy