CVE-2026-4062

Name of the Vulnerable Software and Affected Versions Geo Mashup versions prior to 1.13.19

Description The Geo Mashup plugin for WordPress contains a time-based blind SQL injection flaw. This issue allows unauthenticated attackers to append additional SQL queries to existing ones to extract sensitive information from the database. The flaw exists because user-supplied parameters are not sufficiently escaped or prepared before being used in SQL queries. Specifically, the esc sql() function is used but fails to protect against parenthesis or SQL keyword injection when values are placed in unquoted IN(...) or NOT IN(...) contexts. While a numeric-only sanitizer is present in the sanitize query args() function, it is only utilized in the AJAX code path and is missing from the render-map.php and template tag code paths. The affected parameters are 'object ids' and 'exclude object ids'.

Recommendations Update the plugin to a version later than 1.13.18.