What is the CVSS score of CVE-2026-52715?

CVE-2026-52715 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. EPSS exploitation probability: 0.4%.

Which versions of GEO my WordPress are affected by CVE-2026-52715?

GEO my WordPress plugin versions 4.5.5 and earlier contain a critical SQL injection vulnerability that allows remote attackers to access and modify website databases without authentication.

How to fix or mitigate CVE-2026-52715?

Within 24 hours: Audit all WordPress installations for GEO my WordPress plugin versions 4.5.5 or earlier; notify business stakeholders and activate incident response protocols. Within 7 days: Remove or disable the plugin from all affected WordPress instances; deploy WAF rules to block SQL injection patterns; implement database access restrictions and enable query logging. Within 30 days: Monitor vendor for security updates; evaluate alternative plugins; conduct database security assessment for evidence of unauthorized access.

GEO my WordPress CVE-2026-52715

EUVD-2026-37051 CRITICAL

SQL Injection (CWE-89)

2026-06-16 Patchstack

GHSA-8ph6-g5r7-mqc9

WordPress SQLi Geo My Wordpress

9.3

CVSS 3.1 · Vendor: Patchstack

Severity by source

Vendor (Patchstack) PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

vuln.today AI

8.2 HIGH

Network-reachable WordPress plugin, no auth or interaction; SQLi typically allows DB read (C:H) and limited writes via INSERT/UPDATE chaining (I:L), scope unchanged within the database authority.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

Jun 16, 2026 - 10:22 vuln.today

CVE Published

Jun 16, 2026 - 09:00 cve.org

CRITICAL 9.3

DescriptionCVE.org

Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.

Articles & Coverage 1

News Critical SQL Injection in WordPress GEO my WordPress Plugin ≤4.5.5 - CVE-2026-52715 Jun 16, 2026

AnalysisAI

Unauthenticated SQL injection in the GEO my WordPress plugin versions 4.5.5 and earlier allows remote attackers to inject arbitrary SQL into backend queries against WordPress sites running the plugin. The flaw was disclosed via Patchstack, carries a CVSS 9.3 with scope change, and currently has no public exploit identified at time of analysis, though SQL injection in WordPress plugins is historically a high-value automated target.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Scan for geo-my-wp plugin

Delivery

Send crafted geo-search HTTP request

Exploit

SQL injected into backend query

Execution

Extract wp_users and wp_options data

Persist

Crack admin hashes offline

Impact

Authenticate to WordPress admin

Access

Scan for geo-my-wp plugin

Delivery

Send crafted geo-search HTTP request

Exploit

SQL injected into backend query

Execution

Extract wp_users and wp_options data

Persist

Crack admin hashes offline

Impact

Authenticate to WordPress admin

Vulnerability AssessmentAI

Exploitation	No special conditions - remote unauthenticated exploitation against default installations of the GEO my WordPress plugin at version 4.5.5 or earlier, with no user interaction required per CVSS PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N indicates network-reachable, low-complexity, unauthenticated exploitation with no user interaction - the worst combination for prerequisites and a strong fit for opportunistic mass-scanning by botnets that routinely sweep WordPress installs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans internet-facing WordPress sites for the GEO my WordPress plugin and sends a crafted HTTP request to a vulnerable geo-search endpoint, embedding SQL syntax in a location, distance, or filter parameter. The injection is concatenated into a backend query, allowing the attacker to extract administrator password hashes from wp_users and secret keys from wp_options without any authentication or user interaction. …
Remediation	Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, so administrators should consult the Patchstack entry at https://patchstack.com/database/wordpress/plugin/geo-my-wp/vulnerability/wordpress-geo-my-wordpress-plugin-4-5-5-sql-injection-vulnerability and the plugin's WordPress.org listing to install the latest release above 4.5.5. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for GEO my WordPress plugin versions 4.5.5 or earlier; notify business stakeholders and activate incident response protocols. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-52715 vulnerability details – vuln.today

Back

GEO my WordPress CVE-2026-52715

Severity by source

CVSS VectorVendor: Patchstack

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code