Impact
The vulnerability is a classic SQL Injection in the Geo Mashup WordPress plugin, classified under CWE-89. An attacker can inject malicious SQL through the subscriber interface, potentially reading, modifying, or deleting database contents tied to the plugin. This could lead to data leakage or the introduction of critical business logic compromises if the injected queries affect broader application data.
Affected Systems
WordPress sites that use the Geo Mashup plugin by Dylan Kuhn with versions 1.13.19 or older are affected. The vulnerability applies to all releases up to and including 1.13.19, regardless of minor patch levels.
Risk and Exploitability
The CVSS score of 8.5 indicates high severity. The EPSS score is not available, so real‑world exploitation frequency is unknown, but the lack of KEV listing does not indicate a documented exploitation. The likely attack vector is through the subscriber endpoint exposed by the plugin; an authenticated or unauthenticated attacker could place crafted payloads in form fields that the plugin forwards to the database. Given the high severity and the documented ability to inject arbitrary SQL, administrators should treat this as a substantial risk to data confidentiality and integrity.
OpenCVE Enrichment