๐Ÿ” CVE Alert

CVE-2026-15300

CRITICAL 9.1

GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters

CVSS Score
9.1
EPSS Score
0.3%
EPSS Percentile
27th

The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw_locations_query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc_sql() only escapes string delimiters and these positions are numeric, payloads such as `1 OR SLEEP(3)` survived sanitization. Fixed in 4.5.5 by adding an upstream is_numeric() guard that short-circuits the WHERE clause to `AND 1 = 0` when either coordinate is non-numeric, and by replacing the three esc_sql() calls with (float) casts.

CWE CWE-89
Vendor ninjew
Product geo my wp
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for ninjew geo my wp

Be the first to know when new critical vulnerabilities affecting ninjew geo my wp are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

ninjew / GEO my WP
0 โ‰ค 4.5.4

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/ecbc7f05-fc4f-4276-968e-04222a64e55a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/geo-my-wp/tags/4.5.4/plugins/posts-locator/includes/class-gmw-wp-query.php#L299 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/geo-my-wp/tags/4.5.4/plugins/posts-locator/includes/class-gmw-wp-query.php#L300 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/geo-my-wp/tags/4.5.4/plugins/posts-locator/includes/class-gmw-wp-query.php#L301 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/geo-my-wp/tags/4.5.5/plugins/posts-locator/includes/class-gmw-wp-query.php#L286 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/geo-my-wp/tags/4.5.5/plugins/posts-locator/includes/class-gmw-wp-query.php#L305