PT-2026-57075 · Ninjew · Geo My Wp

Published

2026-07-10

·

Updated

2026-07-10

·

CVE-2026-15300

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $ SERVER['QUERY STRING'] via parse str() (bypassing wp magic quotes, which does not cover $ SERVER), then passed through bare esc sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw locations query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc sql() only escapes string delimiters and these positions are numeric, payloads such as 1 OR SLEEP(3) survived sanitization. Fixed in 4.5.5 by adding an upstream is numeric() guard that short-circuits the WHERE clause to AND 1 = 0 when either coordinate is non-numeric, and by replacing the three esc sql() calls with (float) casts.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15300

Affected Products

Geo My Wp