Description
The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-02-25
Score: 7.5 High
EPSS: 15.3% Moderate
KEV: No
Impact: Unauthorized extraction of WordPress database information via SQL injection
Action: Immediate Patch
AI Analysis

Impact

The Geo Mashup plugin for WordPress contains an unsanitized ‘sort’ query parameter that is directly embedded into a SQL statement. This oversight permits an attacker to inject additional SQL clauses into the existing query. Because the vulnerability does not require authentication, anyone able to send a crafted HTTP request can cause the database to execute the injected statements. The result is the potential leakage of sensitive data such as user credentials, content, or configuration stored in the WordPress database.

Affected Systems

All installations of the Geo Mashup plugin, developed by cyberhobo, running version 1.13.17 or earlier on WordPress sites are affected. The issue resides in the plugin’s database handling code and applies to any WordPress instance that has the vulnerable plugin activated.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is considered a high‑severity flaw. An EPSS score of 15% indicates that a measurable portion of the environment is likely to experience exploitation attempts. The flaw is not yet listed in the CISA KEV catalog, but because authentication is not required, attackers can target the vulnerability from any external web request. A typical exploit would involve submitting a malicious ‘sort’ value in an HTTP request to the plugin’s endpoint, resulting in unauthorized read access to the database.

Generated by OpenCVE AI on April 28, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Geo Mashup plugin to the latest released version that includes proper sanitization for the sort parameter.
  • If an upgrade is not immediately possible, deactivate or remove the Geo Mashup plugin from the WordPress installation to eliminate the vulnerable code path.
  • Implement a web application firewall rule or employ the OWASP ModSecurity Core Rule Set to detect and block SQL injection attempts directed at the sort parameter.

Generated by OpenCVE AI on April 28, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress
Vendors & Products Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress

Wed, 25 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Geo Mashup <= 1.13.17 - Unauthenticated SQL Injection via 'sort' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cyberhobo Geo Mashup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:43.074Z

Reserved: 2026-02-12T17:08:06.459Z

Link: CVE-2026-2416

cve-icon Vulnrichment

Updated: 2026-02-25T16:37:51.736Z

cve-icon NVD

Status : Deferred

Published: 2026-02-25T09:16:15.367

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:30:26Z

Weaknesses