HIGH
ninjew
CVE published 2026-05-30
CVE-2026-9757
The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5. The parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), bypassing WordPress's wp_magic_quotes protection (which only covers $_POST/$_GET/$_COOKIE/$_REQUEST). Each parameter is split on ',' via explode() and the resulting fragments are in [truncated]