PT-2026-45090 · WordPress · Geo My Wp
Naoya Takahashi
·
Published
2026-05-30
·
Updated
2026-06-09
·
CVE-2026-9757
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
GEO my WP versions prior to 4.5.6
Description
The plugin is subject to SQL Injection, allowing unauthenticated attackers to append additional SQL queries to extract sensitive information from the database. The issue occurs because the
swlatlng and nelatlng parameters are read from $ SERVER['QUERY STRING'] via parse str(), bypassing standard WordPress protection. These parameters are then split and interpolated directly into a SQL BETWEEN clause within the gmw get locations within boundaries sql() function without proper validation, casting, or escaping. Exploitation requires the site to host the Posts Locator search-results shortcode ([gmw form="results" form id=N]) on a public page and have at least one published post with an associated gmw location row.Recommendations
Update to a version later than 4.5.5.
As a temporary workaround, avoid using the
swlatlng and nelatlng parameters or restrict access to pages hosting the Posts Locator search-results shortcode.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Geo My Wp