CVE-2026-4060

Name of the Vulnerable Software and Affected Versions Geo Mashup versions prior to 1.13.19

Description The Geo Mashup plugin for WordPress contains a time-based blind SQL injection flaw. This issue occurs because the sort parameter is not properly escaped or prepared before being used in a SQL query, specifically within the ORDER BY clause where the esc sql() function is ineffective because the value lacks quotes. Although a sanitize sort arg() allowlist-based sanitizer exists, it is only implemented in the sanitize query args() function for AJAX requests and is missing from the render-map.php and template tag code paths. Consequently, unauthenticated attackers can append malicious SQL queries to extract sensitive information from the database.

Recommendations Update the plugin to a version later than 1.13.18. As a temporary workaround, restrict access to the render-map.php file and avoid using the sort parameter in template tags until the update is applied.