PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9757 ninjew CVE debrief

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5. The parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), bypassing WordPress's wp_magic_quotes protection (which only covers $_POST/$_GET/$_COOKIE/$_REQUEST). Each parameter is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This allows unauthenticated attackers to append additional SQL queries to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode ([gmw form=results form_id=N]) on a public page and to have at least one published post with an associated gmw_location row.

Vendor
ninjew
Product
GEO my WP
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-30
Original CVE updated
2026-06-01
Advisory published
2026-05-30
Advisory updated
2026-06-01

Who should care

WordPress site administrators using the GEO my WP plugin, security teams monitoring WordPress plugin vulnerabilities, and database administrators responsible for WordPress backend security

Technical summary

The vulnerability exists because the plugin reads latitude/longitude boundary parameters directly from $_SERVER['QUERY_STRING'] using parse_str(), which bypasses WordPress's automatic escaping via wp_magic_quotes(). The comma-separated values from swlatlng and nelatlng are exploded into arrays and directly interpolated into a SQL BETWEEN clause without any numeric validation, type casting, or prepared statement usage. This creates a classic SQL injection vector that allows unauthenticated attackers to manipulate the query structure and extract database contents. The attack surface is limited to sites that expose the Posts Locator search-results shortcode on a public page and have at least one published post with location data.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade GEO my WP plugin to version 4.5.5.1 or later
  • Remove or disable the Posts Locator search-results shortcode from public pages if patching is not immediately possible
  • Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts in swlatlng and nelatlng parameters
  • Review database access logs for anomalous queries that may indicate exploitation attempts
  • Ensure database accounts used by WordPress follow principle of least privilege to limit impact of successful SQL injection
  • Monitor for unauthorized data exfiltration or unexpected database query patterns

Evidence notes

The vulnerability was disclosed on 2026-05-30 and modified on 2026-06-01. The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N with a score of 7.5 (HIGH). The weakness is classified as CWE-89 (SQL Injection). The vulnerability status in NVD is Deferred. The vendor is listed as Unknown Vendor with low confidence based on reference domain candidate Wordpress.

Official resources

2026-05-30T10:16:23.980Z