CVE-2026-7552 cyberhobo CVE debrief

Who should care

WordPress site administrators using the Geo Mashup plugin; security teams monitoring WordPress plugin vulnerabilities; developers maintaining WordPress installations with geolocation functionality

Technical summary

The Geo Mashup WordPress plugin fails to properly verify user authorization before exposing sensitive configuration data. The vulnerability exists in the plugin's handling of configuration requests, where missing authorization checks allow unauthenticated attackers to retrieve plugin settings. Affected code paths include geo-mashup.php at lines 515, 528, and 1525 across multiple versions. The security fix was committed in changeset 3503627. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N indicates network-accessible, low-complexity attacks with no privileges required, resulting in low confidentiality impact.

Defensive priority

medium

Recommended defensive actions

• Update Geo Mashup plugin to version 1.13.20 or later, which contains the security fix in changeset 3503627
• Review and rotate any exposed Google Maps API keys and GeoNames service credentials that may have been accessible
• Implement network-level access controls to restrict unauthorized access to WordPress administrative functions
• Enable WordPress security logging to detect anomalous access patterns to plugin configuration endpoints
• Conduct audit of plugin configurations to ensure no sensitive credentials remain exposed in accessible locations

Evidence notes

Vulnerability identified through WordPress plugin source code analysis. Multiple source code references point to specific line numbers in geo-mashup.php across versions 1.13.18, 1.13.19, and trunk. A changeset (3503627) indicates a security fix has been committed. The weakness is classified as CWE-862 (Missing Authorization).

Official resources