CVE-2026-15300
Received Received - Intake

SQL Injection in GEO my WP WordPress Plugin

Vulnerability report for CVE-2026-15300, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw_locations_query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc_sql() only escapes string delimiters and these positions are numeric, payloads such as `1 OR SLEEP(3)` survived sanitization. Fixed in 4.5.5 by adding an upstream is_numeric() guard that short-circuits the WHERE clause to `AND 1 = 0` when either coordinate is non-numeric, and by replacing the three esc_sql() calls with (float) casts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
geo_my_wp geo_my_wp to 4.5.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The GEO my WP plugin for WordPress had a SQL Injection vulnerability in versions up to and including 4.5.4. This issue was caused by the plugin reading certain parameters ('distance', 'lat', and 'lng') directly from the query string without proper numeric validation. Although the values were passed through esc_sql() for sanitization, this function only escapes string delimiters and does not protect numeric fields. As a result, malicious payloads like '1 OR SLEEP(3)' could bypass sanitization and be injected into the SQL query, potentially altering its behavior.

The vulnerability was fixed in version 4.5.5 by adding an is_numeric() check to ensure only numeric values are processed, and by casting the parameters to float, preventing injection attacks.

Impact Analysis

This SQL Injection vulnerability can allow an attacker to execute arbitrary SQL commands on the database used by the GEO my WP plugin. Specifically, it can lead to denial of service through commands like SLEEP(), or potentially more harmful impacts such as data manipulation or unauthorized data access.

Because the vulnerability has a high CVSS score (9.1) with impact on integrity and availability, it poses a serious risk to the affected WordPress sites, potentially causing service disruption or data integrity issues.

Detection Guidance

This vulnerability involves SQL Injection via the 'distance', 'lat', and 'lng' parameters in the GEO my WP WordPress plugin. Detection can focus on monitoring HTTP requests that include these parameters with suspicious payloads such as '1 OR SLEEP(3)'.

You can detect potential exploitation attempts by searching web server logs or using network monitoring tools to identify requests containing these parameters with non-numeric or SQL injection payloads.

  • Use grep or similar tools on web server logs to find suspicious requests, e.g.: grep -iE "(distance|lat|lng)=(1 OR|SLEEP)" access.log
  • Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for requests containing 'distance', 'lat', or 'lng' parameters with suspicious values.
  • Employ web application firewalls (WAFs) with rules to detect SQL injection patterns in these specific parameters.
Mitigation Strategies

The vulnerability is fixed in GEO my WP plugin version 4.5.5 by adding an upstream is_numeric() guard and replacing esc_sql() calls with float casts.

Immediate mitigation steps include:

  • Update the GEO my WP plugin to version 4.5.5 or later.
  • If immediate update is not possible, block or filter HTTP requests containing suspicious payloads in the 'distance', 'lat', and 'lng' parameters at the web server or firewall level.
  • Monitor logs for exploitation attempts and respond accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15300. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart