CVE-2026-6457

Name of the Vulnerable Software and Affected Versions Geo Mashup versions prior to 1.13.20

Description The Geo Mashup plugin for WordPress contains a time-based blind SQL Injection, a technique that allows an attacker to infer data by observing the time the server takes to respond to specific queries. The issue exists due to insufficient escaping of user-supplied parameters and a lack of proper preparation of the SQL query. Authenticated attackers with subscriber-level access or higher can exploit the geo mashup null fields parameter to append additional SQL queries and extract sensitive information from the database.

Recommendations Update the plugin to a version later than 1.13.19. As a temporary workaround, restrict access to the geo mashup null fields parameter to minimize the risk of exploitation.