Description
Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.
Published: 2026-06-17
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL Injection in the Geo Mashup WordPress plugin, classified under CWE-89. An attacker can inject malicious SQL through the subscriber interface, potentially reading, modifying, or deleting database contents tied to the plugin. This could lead to data leakage or the introduction of critical business logic compromises if the injected queries affect broader application data.

Affected Systems

WordPress sites that use the Geo Mashup plugin by Dylan Kuhn with versions 1.13.19 or older are affected. The vulnerability applies to all releases up to and including 1.13.19, regardless of minor patch levels.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. The EPSS score is not available, so real‑world exploitation frequency is unknown, but the lack of KEV listing does not indicate a documented exploitation. The likely attack vector is through the subscriber endpoint exposed by the plugin; an authenticated or unauthenticated attacker could place crafted payloads in form fields that the plugin forwards to the database. Given the high severity and the documented ability to inject arbitrary SQL, administrators should treat this as a substantial risk to data confidentiality and integrity.

Generated by OpenCVE AI on June 18, 2026 at 12:11 UTC.

Remediation

Vendor Solution

Update the WordPress Geo Mashup Plugin to the latest available version (at least 1.13.20).


OpenCVE Recommended Actions

  • Upgrade the Geo Mashup plugin to version 1.13.20 or later, as recommended by the vendor.
  • Configure the database user that the WordPress application uses to have the minimum privileges necessary for normal operation to limit the damage an injected query could cause.
  • If the plugin is not critical to site functionality, consider disabling or removing it to eliminate the attack surface until a patch is applied.

Generated by OpenCVE AI on June 18, 2026 at 12:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Dylan Kuhn
Dylan Kuhn geo Mashup
Wordpress
Wordpress wordpress
Vendors & Products Dylan Kuhn
Dylan Kuhn geo Mashup
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.
Title WordPress Geo Mashup plugin <= 1.13.19 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Dylan Kuhn Geo Mashup
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:30:32.812Z

Reserved: 2026-05-26T19:56:06.748Z

Link: CVE-2026-48967

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:15:02Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')