CVE-2026-4061

Name of the Vulnerable Software and Affected Versions Geo Mashup versions prior to 1.13.19

Description The Geo Mashup plugin for WordPress allows unauthenticated attackers to extract sensitive database information using a time-based blind SQL Injection approach. This occurs because the SearchResults hook uses stripslashes deep($ POST), which removes protection, and subsequently concatenates the unsanitized map post type parameter into an IN(...) clause without using esc sql() or $wpdb->prepare(). This issue is specifically present in the else branch of the code, whereas the any branch is correctly handled. Exploitation is possible only if the Geo Search feature is enabled in the plugin settings.

Recommendations Update to a version later than 1.13.18. As a temporary workaround, disable the Geo Search feature in the plugin settings to minimize the risk of exploitation.