Description
The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.
Published: 2026-05-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Geo Mashup plugin for WordPress is vulnerable to a time‑based blind SQL injection that can be triggered through the untrusted 'sort' parameter. The flaw stems from insufficient escaping and a context‑mismatch: the esc_sql() function is applied, but because the value is used in an ORDER BY clause without quotes, malicious SQL is not filtered. This allows an attacker to append additional SQL statements to the existing query and leverage timing delays to infer data from the database.

Affected Systems

All installations of the Geo Mashup plugin version 1.13.18 or earlier are impacted. The vulnerability exists in the render‑map.php and template tag code paths, which are widely used in WordPress sites that employ this plugin.

Risk and Exploitability

The flaw can be exploited by anyone with network access to the WordPress site, without authentication. The CVSS score of 7.5 signals a high severity. Although the EPSS score is not available and the vulnerability is not listed in CISA KEV, the nature of the attack—unauthenticated, remote content‑based—makes it a significant data‑exposure risk. An attacker can craft a time‑based payload, send requests to the vulnerable endpoint, and observe response latency to enumerate database contents.

Generated by OpenCVE AI on May 2, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Geo Mashup plugin to the latest revision that removes the SQL injection in the 'sort' parameter (any release newer than 1.13.18).
  • If an immediate upgrade is not feasible, deploy a Web Application Firewall or rewrite rule that blocks or sanitizes the 'sort' parameter, limiting the payload to known safe values.
  • As a temporary mitigation, consider deactivating the Geo Mashup plugin or restricting its use until the official patch is applied.

Generated by OpenCVE AI on May 2, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress
Vendors & Products Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress

Sat, 02 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.
Title Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'sort' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cyberhobo Geo Mashup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T11:16:09.209Z

Reserved: 2026-03-12T17:24:28.654Z

Link: CVE-2026-4060

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T12:16:15.430

Modified: 2026-05-02T12:16:15.430

Link: CVE-2026-4060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T13:00:06Z

Weaknesses