CVE-2026-7552
Description
The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin configuration data, including Google Maps API keys and GeoNames service credentials, to unauthenticated attackers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Geo Mashup WordPress plugin up to 1.13.19 fails to verify authorization, allowing unauthenticated attackers to expose sensitive configuration data including API keys.
Vulnerability
The Geo Mashup plugin for WordPress versions up to and including 1.13.19 contains an authorization bypass vulnerability. The plugin does not properly verify that a user is authorized to perform certain actions, leading to exposure of sensitive plugin configuration data such as Google Maps API keys and GeoNames service credentials. The vulnerable code is present in the plugin's main file geo-mashup.php [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the plugin's endpoints that lack proper capability checks. No authentication or special privileges are required. The attacker can directly access the configuration data without any user interaction.
Impact
Successful exploitation allows an unauthenticated attacker to retrieve sensitive configuration data, including Google Maps API keys and GeoNames credentials. This could lead to unauthorized use of these services, potential financial charges, or further attacks leveraging the exposed keys.
Mitigation
As of the publication date (2026-05-28), no fixed version has been released. Users should monitor the plugin's repository for updates. Until a patch is available, consider disabling the plugin or restricting access to its endpoints via web application firewall rules. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.13.19+ 1 more
- (no CPE)range: <=1.13.19
- (no CPE)range: <=1.13.19
Patches
1r3503627Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.18/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.18/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.18/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.19/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.19/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.19/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup.phpnvd
- plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup.phpnvd
- plugins.trac.wordpress.org/changeset/3503627/geo-mashupnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/605dc24c-5b6e-479b-98dd-ad80c547824cnvd
News mentions
0No linked articles in our index yet.