PT-2026-57075 · Ninjew · Geo My Wp
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-15300
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $ SERVER['QUERY STRING'] via parse str() (bypassing wp magic quotes, which does not cover $ SERVER), then passed through bare esc sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw locations query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc sql() only escapes string delimiters and these positions are numeric, payloads such as
1 OR SLEEP(3) survived sanitization. Fixed in 4.5.5 by adding an upstream is numeric() guard that short-circuits the WHERE clause to AND 1 = 0 when either coordinate is non-numeric, and by replacing the three esc sql() calls with (float) casts.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Geo My Wp