CVE-2026-15300

ninjew · GEO my WP

The GEO my WP WordPress plugin is vulnerable to unauthenticated SQL injection via the 'distance', 'lat', and 'lng' parameters due to improper sanitization of numeric inputs.

Executive summary

A critical SQL injection vulnerability in the GEO my WP plugin allows unauthenticated attackers to manipulate database queries, leading to potential data integrity loss or unauthorized access.

Vulnerability

The vulnerability exists because the plugin fails to properly validate input parameters read from the query string. An unauthenticated attacker can supply malicious SQL payloads that bypass weak sanitization, allowing for arbitrary query manipulation.

Business impact

The ability to perform SQL injection poses a severe threat to business operations, as it can lead to the unauthorized modification or deletion of sensitive database information. With a CVSS score of 9.1, this vulnerability represents a critical risk to data integrity and system availability, potentially resulting in complete compromise of the WordPress backend data.

Remediation

Immediate Action: Upgrade to GEO my WP version 4.5.5 or later, which implements strict numeric validation and type casting to neutralize the injection vector.

Proactive Monitoring: Review web server and database logs for anomalous query patterns, specifically looking for SQL keywords or unexpected characters in proximity-search parameters.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common SQL injection patterns in URL query strings.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the critical CVSS severity and the ease of exploitation via unauthenticated network access, administrators must prioritize updating the GEO my WP plugin immediately. Failure to patch allows for significant risks to the underlying database and application integrity.