PT-2026-57075 · Ninjew · Geo My Wp

Publicado

2026-07-10

·

Atualizado

2026-07-10

·

CVE-2026-15300

CVSS v3.1

9.1

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $ SERVER['QUERY STRING'] via parse str() (bypassing wp magic quotes, which does not cover $ SERVER), then passed through bare esc sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw locations query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc sql() only escapes string delimiters and these positions are numeric, payloads such as 1 OR SLEEP(3) survived sanitization. Fixed in 4.5.5 by adding an upstream is numeric() guard that short-circuits the WHERE clause to AND 1 = 0 when either coordinate is non-numeric, and by replacing the three esc sql() calls with (float) casts.

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-15300

Produtos afetados

Geo My Wp