PT-2026-57075 · Ninjew · Geo My Wp
Publicado
2026-07-10
·
Atualizado
2026-07-10
·
CVE-2026-15300
CVSS v3.1
9.1
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $ SERVER['QUERY STRING'] via parse str() (bypassing wp magic quotes, which does not cover $ SERVER), then passed through bare esc sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw locations query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc sql() only escapes string delimiters and these positions are numeric, payloads such as
1 OR SLEEP(3) survived sanitization. Fixed in 4.5.5 by adding an upstream is numeric() guard that short-circuits the WHERE clause to AND 1 = 0 when either coordinate is non-numeric, and by replacing the three esc sql() calls with (float) casts.Correção
SQL injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Geo My Wp