PT-2026-45090 · WordPress · Geo My Wp

Naoya Takahashi

·

Published

2026-05-30

·

Updated

2026-06-09

·

CVE-2026-9757

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions GEO my WP versions prior to 4.5.6
Description The plugin is subject to SQL Injection, allowing unauthenticated attackers to append additional SQL queries to extract sensitive information from the database. The issue occurs because the swlatlng and nelatlng parameters are read from $ SERVER['QUERY STRING'] via parse str(), bypassing standard WordPress protection. These parameters are then split and interpolated directly into a SQL BETWEEN clause within the gmw get locations within boundaries sql() function without proper validation, casting, or escaping. Exploitation requires the site to host the Posts Locator search-results shortcode ([gmw form="results" form id=N]) on a public page and have at least one published post with an associated gmw location row.
Recommendations Update to a version later than 4.5.5. As a temporary workaround, avoid using the swlatlng and nelatlng parameters or restrict access to pages hosting the Posts Locator search-results shortcode.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9757

Affected Products

Geo My Wp