Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the SearchResults hook explicitly calling stripslashes_deep($_POST) which removes WordPress magic quotes protection, followed by the unsanitized map_post_type value being concatenated into an IN(...) clause without esc_sql() or $wpdb->prepare(). The 'any' branch of the same code correctly applies array_map('esc_sql', ...), but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.
AnalysisAI
Time-based blind SQL injection in Geo Mashup WordPress plugin allows unauthenticated remote attackers to extract database contents when Geo Search is enabled. The vulnerability stems from explicit removal of WordPress's built-in magic quotes protection via stripslashes_deep($_POST), combined with failure to sanitize the map_post_type parameter before SQL concatenation in an IN() clause. EPSS data not provided. No CISA KEV listing indicates this is not yet confirmed as actively exploited. Public exploit code status unknown, though detailed code references in Wordfence advisory provide clear exploitation path. Patch released in changeset 3503627.
Technical ContextAI
This is a classic SQL injection (CWE-89) in a WordPress plugin context. WordPress core historically applied 'magic quotes' to sanitize user input, but many plugins including Geo Mashup explicitly strip these protections using stripslashes_deep() for processing flexibility. The vulnerability occurs in the SearchResults hook where the map_post_type POST parameter is used to build a SQL IN() clause. The code contains a conditional branch: when map_post_type equals 'any', the plugin correctly applies array_map('esc_sql', ...) to sanitize values. However, the else branch directly concatenates unsanitized input without using WordPress's esc_sql() function or $wpdb->prepare() parameterized queries. This allows attackers to inject SQL commands. The time-based blind approach mentioned means attackers use SQL time delay functions (like SLEEP() in MySQL) to infer data one bit at a time by measuring response times, working around the lack of direct error messages or visible output.
RemediationAI
Upgrade Geo Mashup to version 1.13.19 or later, which contains the fix delivered in WordPress plugin changeset 3503627 (https://plugins.trac.wordpress.org/changeset/3503627/). The patch properly sanitizes the map_post_type parameter in the else branch to match the security controls already present in the 'any' branch. If immediate patching is not feasible, disable the Geo Search feature in the plugin's settings as a temporary compensating control-this eliminates the vulnerable code path entirely but removes geolocation search functionality from the site. Alternatively, implement Web Application Firewall (WAF) rules to inspect POST requests to WordPress endpoints for SQL injection patterns targeting the map_post_type parameter, specifically looking for SQL metacharacters, time-delay functions (SLEEP, BENCHMARK), or comment sequences, though this may generate false positives and requires ongoing rule tuning. Review database access logs for unusual query patterns or time-delayed responses that might indicate exploitation attempts prior to patching.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26779