Description
The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row.
Published: 2026-05-30
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GEO my WP plugin for WordPress is vulnerable to a CWE‑89 SQL Injection attack that allows unauthenticated users to append malicious SQL statements to queries. Attackers can exploit the swlatlng and nelatlng parameters read from the raw query string, bypassing WordPress’s sanitization, to retrieve sensitive data from the database or perform other destructive operations. The vulnerability is high severity with a CVSS score of 7.5, indicating a significant risk to confidentiality and integrity.

Affected Systems

All installations of GEO my WP version 4.5.5 or earlier are affected. This includes any WordPress site that hosts the Posts Locator search‑results shortcode ([gmw form="results" form_id=N]) and has at least one published post containing a gmw_location entry. The issue spans the entire plugin code base that processes these latitude/longitude bounds, regardless of WordPress core or theme version.

Risk and Exploitability

The exploit requires only a crafted URL; no authentication is necessary. This inference is made based on the description, since the CVE does not explicitly state the attack vector. Because the vulnerability relies on parameters parsed from the query string, any visitor can trigger it. The lack of numeric validation lets an attacker inject additional SQL into the BETWEEN clause, leading to data disclosure or modification. With a CVSS of 7.5 and no EPSS data but high impact, the risk is considered high, and the vulnerability is not currently listed in CISA KEV. The attack vector is external via HTTP requests and the conditions are widely met on public sites that use the affected shortcode.

Generated by OpenCVE AI on May 30, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GEO my WP to a version newer than 4.5.5, such as 4.5.6, which introduces proper input validation for swlatlng and nelatlng parameters.
  • If an upgrade cannot be performed immediately, remove or disable the Posts Locator search‑results shortcode from publicly accessible pages until the plugin is updated.
  • Configure a web application firewall or server rule to block or sanitize requests containing the swlatlng or nelatlng query parameters when they do not consist solely of numeric latitude/longitude values.

Generated by OpenCVE AI on May 30, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Ninjew
Ninjew geo My Wp
Wordpress
Wordpress wordpress
Vendors & Products Ninjew
Ninjew geo My Wp
Wordpress
Wordpress wordpress

Sat, 30 May 2026 09:45:00 +0000

Type Values Removed Values Added
Description The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row.
Title GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Ninjew Geo My Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-30T09:28:59.244Z

Reserved: 2026-05-27T18:00:12.927Z

Link: CVE-2026-9757

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T10:16:23.980

Modified: 2026-05-30T10:16:23.980

Link: CVE-2026-9757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:17:53Z

Weaknesses