CVE-2026-52715

Vulnerability

The GEO my WordPress plugin versions up to and including 4.5.5 contain an unauthenticated SQL injection vulnerability. The flaw resides in an unsanitized input parameter that is directly used in a database query, requiring no special configuration or user privileges to reach the vulnerable code path [1].

Exploitation

An attacker with network access to the WordPress site can exploit this vulnerability without any authentication. By sending a crafted HTTP request containing a malicious SQL payload to the vulnerable endpoint, the attacker can execute arbitrary SQL commands against the underlying database. No user interaction or prior access is required [1].

Impact

Successful exploitation allows the attacker to directly interact with the database, leading to potential theft of sensitive information such as user credentials, personal data, and site configuration. The impact is primarily on confidentiality, but could also enable data manipulation or further privilege escalation depending on the database permissions [1].

Mitigation

The vulnerability is fixed in version 4.5.5.1. Users are strongly advised to update immediately. If updating is not possible, applying a mitigation rule (e.g., via Patchstack) or contacting a hosting provider for assistance is recommended. No other workarounds are documented [1].