PatchSiren cyber security CVE debrief
CVE-2026-15300 ninjew CVE debrief
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw_locations_query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc_sql() only escapes string delimiters and these positions are numeric, payloads such as `1 OR SLEEP(3)` survived sanitization.
- Vendor
- ninjew
- Product
- GEO my WP
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
WordPress users and administrators who have installed the GEO my WP plugin, especially those using versions up to and including 4.5.4, should be aware of this vulnerability and take immediate action to update to version 4.5.5 or later.
Technical summary
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The vulnerability was caused by the plugin's use of parse_str() to read values from $_SERVER['QUERY_STRING'], which bypasses wp_magic_quotes. These values were then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query. This allowed payloads such as `1 OR SLEEP(3)` to survive sanitization. The vulnerability was fixed in version 4.5.5 by adding an upstream is_numeric() guard that short-circuits the WHERE clause to `AND 1 = 0` when either coordinate is non-numeric, and by replacing the three esc_sql() calls with (float) casts.
Defensive priority
High
Recommended defensive actions
- Update to version 4.5.5 or later
- Review and monitor database queries for suspicious activity
- Implement additional security measures such as web application firewalls and intrusion detection systems
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-10T05:16:33.393Z and has not been modified since then. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. Defenders should verify affected scope, severity, and vendor guidance with official advisories.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:33.393Z and has not been modified since then.