Geo Mashup
Monthly
SQL injection in the Geo Mashup WordPress plugin (versions <= 1.13.19) allows authenticated users with Subscriber-level privileges to inject arbitrary SQL queries via unsanitized input, leading to confidentiality compromise and limited availability impact across other WordPress components. No public exploit identified at time of analysis, but the low privilege barrier (any registered subscriber) on a widely-deployed plugin class makes this a meaningful risk for WordPress sites with open registration. The Scope:Changed CVSS metric indicates the SQL injection can affect resources beyond the plugin's own security authority.
Stored XSS in the Geo Mashup WordPress plugin (versions through 1.13.18) allows authenticated low-privileged users to persistently inject malicious JavaScript into pages served by the affected site. When a higher-privileged user - such as an administrator - views the content containing the stored payload, the script executes in their browser under a changed scope, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and an EPSS of 0.03% (10th percentile) combined with SSVC exploitation status of 'none' confirms very low current real-world exploitation activity.
The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of post editor and other user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search key. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
SQL injection in the Geo Mashup WordPress plugin (versions <= 1.13.19) allows authenticated users with Subscriber-level privileges to inject arbitrary SQL queries via unsanitized input, leading to confidentiality compromise and limited availability impact across other WordPress components. No public exploit identified at time of analysis, but the low privilege barrier (any registered subscriber) on a widely-deployed plugin class makes this a meaningful risk for WordPress sites with open registration. The Scope:Changed CVSS metric indicates the SQL injection can affect resources beyond the plugin's own security authority.
Stored XSS in the Geo Mashup WordPress plugin (versions through 1.13.18) allows authenticated low-privileged users to persistently inject malicious JavaScript into pages served by the affected site. When a higher-privileged user - such as an administrator - views the content containing the stored payload, the script executes in their browser under a changed scope, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit has been identified at time of analysis, and an EPSS of 0.03% (10th percentile) combined with SSVC exploitation status of 'none' confirms very low current real-world exploitation activity.
The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of post editor and other user input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search key. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.