CVE-2026-9757

Vulnerability

The GEO my WP plugin for WordPress (versions up to and including 4.5.5) is vulnerable to SQL injection in the gmw_get_locations_within_boundaries_sql() function. The swlatlng and nelatlng parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), bypassing WordPress's wp_magic_quotes protection. These values are split on commas and directly interpolated into a SQL BETWEEN clause without sanitization or parameterized queries [2][4]. The vulnerability requires the site to have the Posts Locator search-results shortcode [gmw form="results" form_id=N] on a public page and at least one published post with an associated gmw_location row.

Exploitation

An unauthenticated attacker can exploit this by crafting a malicious HTTP request to a page containing the vulnerable shortcode. The attacker supplies arbitrary SQL fragments in the swlatlng or nelatlng query string parameters. Because the values are not validated with is_numeric() or cast to float, and are not escaped via esc_sql() or $wpdb->prepare(), the attacker can append additional SQL queries to the existing query. No authentication or special privileges are required; only the presence of the shortcode and a location record.

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the WordPress database, including user credentials, post content, and other data. The injection occurs in a SQL BETWEEN clause, enabling the attacker to append UNION-based or time-based blind queries. The impact is limited to data disclosure (confidentiality), as the attacker can read arbitrary tables but cannot modify data or execute commands.

Mitigation

The vulnerability is fixed in version 4.5.6, released on 2026-05-30 [1]. Users should update immediately. There is no known workaround for sites that cannot upgrade. The plugin is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.