Description
The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.
Published: 2026-05-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs when the Geo Mashup plugin processes the 'map_post_type' parameter. By invoking stripslashes_deep on $_POST, the plugin removes WordPress magic quotes, and the unsanitized value is concatenated directly into an IN clause without proper escaping or preparation. An attacker can therefore inject SQL that is executed as part of a time‑based blind query, allowing the extraction of sensitive database information for users who possess no authentication. The flaw can only be exploited when the plugin’s Geo Search feature is enabled, but no authentication is required to supply a malicious request.

Affected Systems

All WordPress sites that have the Geo Mashup plugin installed with a version equal to or earlier than 1.13.18 are affected. The plugin in question is identified by cyberhobo as Geo Mashup.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity. No EPSS score is available, signaling that a specific exploitation probability cannot be quantified at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the fact that the flaw can be triggered through a standard HTTP request to the website, the likely attack vector is remote, unauthenticated, and requires only the ability to send an HTTP request to a target that has the plugin’s Geo Search feature enabled.

Generated by OpenCVE AI on May 2, 2026 at 12:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch to Geo Mashup, version 1.13.19 or newer
  • If the latest patch cannot be applied immediately, temporarily disable the Geo Search feature from the plugin settings or remove the plugin entirely
  • As a contingency, restrict the 'map_post_type' input to known, safe values by adding a custom sanitization routine or deploying a WAF rule that blocks suspicious SQL patterns

Generated by OpenCVE AI on May 2, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress
Vendors & Products Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress

Sat, 02 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.
Title Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cyberhobo Geo Mashup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T11:16:10.948Z

Reserved: 2026-03-12T17:28:38.631Z

Link: CVE-2026-4061

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T12:16:16.200

Modified: 2026-05-02T12:16:16.200

Link: CVE-2026-4061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses