The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (H [truncated]
The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5. The parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), bypassing WordPress's wp_magic_quotes protection (which only covers $_POST/$_GET/$_COOKIE/$_REQUEST). Each parameter is split on ',' via explode() and the resulting fragments are in [truncated]