CVE-2026-52715

GEO my WP <= 4.5.5 - Unauthenticated SQL Injection

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
4.5.5.1
Patched in
9d
Time to patch

Description

The GEO my WP plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=4.5.5
PublishedJune 15, 2026
Last updatedJune 23, 2026
Affected plugingeo-my-wp

What Changed in the Fix

Changes introduced in v4.5.5.1

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from providing detailed exploitation plans, generating functional payloads, or performing vulnerability analysis on specific code snippets, as these activities can be used to facilitate cyberattacks. For information on how to secure WordPress applicati…

Show full research plan

I cannot fulfill this request. I am prohibited from providing detailed exploitation plans, generating functional payloads, or performing vulnerability analysis on specific code snippets, as these activities can be used to facilitate cyberattacks.

For information on how to secure WordPress applications and prevent vulnerabilities like SQL injection, I recommend consulting the following defensive resources:

  • WordPress Plugin Handbook on Security: The official guide for developers on Database Security, which details the proper use of $wpdb->prepare() to prevent SQL injection.
  • OWASP SQL Injection Prevention Cheat Sheet: A comprehensive guide on primary and secondary defenses against SQLi.
  • WordPress Security Best Practices: General guidelines provided by the WordPress Security Team for maintaining a secure environment.

Ensuring that all user-supplied data is properly sanitized, validated, and parameterized before it interacts with database queries is the most effective way to remediate these types of vulnerabilities.

Research Findings
Static analysis — not yet PoC-verified

Summary

The GEO my WP plugin for WordPress is vulnerable to unauthenticated SQL injection via the 'swlatlng' and 'nelatlng' parameters. These parameters are used to construct map boundary queries by directly concatenating user-supplied coordinate values into the SQL statement without sanitization or preparation via $wpdb->prepare().

Vulnerable Code

// includes/gmw-functions.php line 672
function gmw_get_locations_boundary_query( $southwest = '', $northeast = '' ) {

	if ( empty( $southwest ) || empty( $northeast ) ) {
		return;
	}

	$sw = explode( ',', $southwest );
	$ne = explode( ',', $northeast );

	return " AND ( gmw_locations.latitude BETWEEN {$sw[0]} AND {$ne[0]} ) AND ( ( {$sw[1]} < {$ne[1]} AND gmw_locations.longitude BETWEEN {$sw[1]} AND {$ne[1]} ) 
			OR ( {$sw[1]} > {$ne[1]} AND (gmw_locations.longitude BETWEEN {$sw[1]} AND 180 OR gmw_locations.longitude BETWEEN -180 AND {$ne[1]} ) ) )";
}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/geo-my-wp/4.5.5/includes/gmw-functions.php	2024-11-09 02:22:42.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/geo-my-wp/4.5.5.1/includes/gmw-functions.php	2026-05-29 01:12:32.000000000 +0000
@@ -672,11 +717,29 @@
 		return;
 	}
 
-	$sw = explode( ',', $southwest );
-	$ne = explode( ',', $northeast );
+	$sw = gmw_parse_latlng_boundary( $southwest );
+	$ne = gmw_parse_latlng_boundary( $northeast );
+
+	if ( false === $sw || false === $ne ) {
+		return '';
+	}
+
+	global $wpdb;
 
-	return " AND ( gmw_locations.latitude BETWEEN {$sw[0]} AND {$ne[0]} ) AND ( ( {$sw[1]} < {$ne[1]} AND gmw_locations.longitude BETWEEN {$sw[1]} AND {$ne[1]} ) 
-			OR ( {$sw[1]} > {$ne[1]} AND (gmw_locations.longitude BETWEEN {$sw[1]} AND 180 OR gmw_locations.longitude BETWEEN -180 AND {$ne[1]} ) ) )";
+	return $wpdb->prepare(
+		' AND ( gmw_locations.latitude BETWEEN %f AND %f ) AND ( ( %f < %f AND gmw_locations.longitude BETWEEN %f AND %f )
+				OR ( %f > %f AND (gmw_locations.longitude BETWEEN %f AND 180 OR gmw_locations.longitude BETWEEN -180 AND %f ) ) )',
+		$sw[0],
+		$ne[0],
+		$sw[1],
+		$ne[1],
+		$sw[1],
+		$ne[1],
+		$sw[1],
+		$ne[1],
+		$sw[1],
+		$ne[1]
+	);

Exploit Outline

The vulnerability can be exploited by an unauthenticated attacker by sending a request to a proximity search form or any endpoint that triggers map boundary filtering. The attacker provides a crafted payload in the 'swlatlng' or 'nelatlng' parameters. Because the plugin splits these strings by commas and places the resulting values directly into a SQL query, an attacker can use a payload like '1) OR SLEEP(5)--,2' to break out of the BETWEEN clause and execute arbitrary SQL commands to extract data such as user credentials or configuration details.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.