PatchSiren

ninjew CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL ninjew CVE published 2026-07-10

CVE-2026-15300

The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (H [truncated]

HIGH ninjew CVE published 2026-05-30

CVE-2026-9757

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5. The parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), bypassing WordPress's wp_magic_quotes protection (which only covers $_POST/$_GET/$_COOKIE/$_REQUEST). Each parameter is split on ',' via explode() and the resulting fragments are in [truncated]