Description
The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_ids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective because the values are placed in an unquoted `IN(...)` / `NOT IN(...)` SQL context — `esc_sql()` only escapes quote characters and provides no protection against parenthesis or SQL keyword injection. Additionally, while a numeric-only sanitizer exists in `sanitize_query_args()`, it is only applied in the AJAX code path and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.
Published: 2026-05-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Geo Mashup plugin for WordPress contains an unauthenticated time‑based SQL injection flaw in the 'object_ids' and 'exclude_object_ids' parameters in all versions up to 1.13.18. The flaw arises because values supplied by a user are placed in an IN/NOT IN clause without proper quoting or parameter binding, allowing an attacker to inject additional SQL statements. Since the optional numeric sanitizer is only applied in the AJAX path, the template and render‑map code paths remain vulnerable. If exploited, the attack can retrieve confidential database data by inducing delayed responses that reveal the existence of data through timing.

Affected Systems

The vulnerability affects installations of the Geo Mashup WordPress plugin produced by cyberhobo. All releases with a version number less than or equal to 1.13.18 are impacted. Users running those versions on any WordPress site are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, so the measured exploitation probability is unknown. Attackers do not need authentication to submit the malicious parameters, making the attack vector network‑based and public. An attacker can craft a payload that forces the database to wait, such as adding a sleep function, and measure the response time to infer data. Because the flaw resides in a database query, success requires interaction with the target's MySQL (or MariaDB) backend, but no special privileges are required beyond the database credentials used by WordPress itself.

Generated by OpenCVE AI on May 2, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Geo Mashup plugin version newer than 1.13.18, if available, that includes input sanitization and uses parameterized queries.
  • Disable or temporarily remove the Geo Mashup plugin from sites that cannot be updated immediately.
  • Configure WordPress to require authentication or capability checks before processing the 'object_ids' and 'exclude_object_ids' parameters to limit unauthenticated input.

Generated by OpenCVE AI on May 2, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress
Vendors & Products Cyberhobo
Cyberhobo geo Mashup
Wordpress
Wordpress wordpress

Sat, 02 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_ids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective because the values are placed in an unquoted `IN(...)` / `NOT IN(...)` SQL context — `esc_sql()` only escapes quote characters and provides no protection against parenthesis or SQL keyword injection. Additionally, while a numeric-only sanitizer exists in `sanitize_query_args()`, it is only applied in the AJAX code path and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.
Title Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'object_ids' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Cyberhobo Geo Mashup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T11:16:10.178Z

Reserved: 2026-03-12T17:32:46.999Z

Link: CVE-2026-4062

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T12:16:16.337

Modified: 2026-05-02T12:16:16.337

Link: CVE-2026-4062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T14:00:06Z

Weaknesses