CVE-2026-9757: SQL Injection in GEO my WP WordPress Plugin (Versions ≤4.5.5)
The GEO my WP WordPress plugin contains a SQL injection vulnerability that allows attackers to extract sensitive data from a site's database. The flaw exists in how the plugin processes geographic coordinate parameters (swlatlng and nelatlng) without proper validation or sanitization. An attacker can craft a malicious URL to inject SQL commands that execute alongside legitimate queries, potentially revealing user data, posts, and other confidential information. No authentication is required, and the vulnerability affects all versions up to and including 4.5.5.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
GEO my WP versions up to 4.5.5 are vulnerable to SQL injection via the swlatlng and nelatlng parameters. These parameters are extracted directly from $_SERVER['QUERY_STRING'] using parse_str(), which bypasses WordPress's wp_magic_quotes protection that only covers $_POST, $_GET, $_COOKIE, and $_REQUEST superglobals. After extraction, the parameters are split via explode() and interpolated directly into a SQL BETWEEN clause in the gmw_get_locations_within_boundaries_sql() function. The fragments receive no numeric validation via is_numeric(), no type casting to (float), no esc_sql() escaping, and no parameterized query preparation via $wpdb->prepare(). This allows attackers to inject arbitrary SQL into the WHERE clause of location boundary queries.
Business impact
A successful exploit could expose customer data, user credentials, post content, and other sensitive information stored in the WordPress database. For e-commerce or membership sites using GEO my WP for location-based services, this represents a material data breach risk. Compliance implications include potential GDPR, CCPA, or HIPAA violations depending on data handled and jurisdiction. The breach could harm customer trust, trigger notification obligations, and result in reputational and legal costs.
Affected systems
GEO my WP plugin versions up to and including 4.5.5 are affected. Exploitation requires that (1) the site hosts the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a publicly accessible page, and (2) at least one published post has an associated gmw_location row in the database. Sites using other GEO my WP features without the Posts Locator shortcode, or with no published posts linked to locations, are not exploitable via this vector.
Exploitability
Exploitation is straightforward and requires no authentication. An attacker simply crafts a URL containing malicious SQL in the swlatlng or nelatlng parameters and submits it to a page hosting the vulnerable shortcode. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U) reflects this low barrier: network-accessible, low complexity, no privileges needed, and no user interaction required. However, the vulnerability does require specific preconditions (Posts Locator shortcode present and at least one gmw_location record), which slightly reduce real-world attack surface but do not prevent exploitation once those conditions are met.
Remediation
Update GEO my WP to a patched version that sanitizes and validates the swlatlng and nelatlng parameters. Verify against the vendor's official advisory for the exact version number that resolves this issue. As a temporary mitigation, disable or restrict access to pages hosting the Posts Locator shortcode until patching is possible. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in query strings targeting gmw-related parameters.
Patch guidance
Consult the official GEO my WP plugin repository and release notes to identify the minimum version that includes the SQL injection fix. Once identified, update the plugin through the WordPress admin dashboard (Plugins > Installed Plugins > GEO my WP > Update) or via WP-CLI. After updating, verify that the Posts Locator shortcode continues to function as expected and test location-based searches. If you are unable to patch immediately, consider disabling the Posts Locator functionality until a fix is deployed.
Detection guidance
Monitor web server access logs and WAF logs for unusual query strings targeting gmw-related endpoints, especially those containing SQL keywords (SELECT, UNION, INSERT, OR, AND, --) in the swlatlng or nelatlng parameters. WordPress security plugins (Wordfence, Sucuri) may detect SQL injection attempts. Review database query logs for anomalous BETWEEN clauses or unexpected SELECT statements on tables accessed by the plugin. Perform database audits to identify any unauthorized data exfiltration or schema changes.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (7.5), unauthenticated exploitability, and potential for sensitive data extraction. The low complexity of attack execution and absence from the KEV catalog (indicating limited public exploit infrastructure to date) suggest that prioritization should focus on rapid patching and detection rather than crisis response. Organizations hosting the Posts Locator shortcode should prioritize this update above routine patches.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects unauthenticated network access (AV:N), low attack complexity (AC:L), no required privileges (PR:N), no user interaction (UI:N), and confidentiality impact to sensitive data (C:H). There is no integrity or availability impact via this vector, so the score does not reach 9.0+. The preconditions (shortcode presence, gmw_location records) slightly lower real-world severity but do not alter the base score.
Frequently asked questions
Who is affected by CVE-2026-9757?
Any WordPress site running GEO my WP version 4.5.5 or earlier that (1) displays the Posts Locator search-results shortcode on a public page and (2) has at least one post linked to a gmw_location record. If your site does not use this specific shortcode or has no location data, you are not at risk from this particular vector.
What information can an attacker extract?
An attacker can craft SQL injection payloads to query any table in the WordPress database accessible by the plugin's database user. This typically includes user accounts, email addresses, posts, post meta, and potentially sensitive custom data. The scope depends on the plugin's database permissions and any custom tables it has created.
Is there a way to mitigate this without updating?
Temporary mitigations include disabling the Posts Locator shortcode, restricting page access via authentication or IP allowlisting, or implementing WAF rules to block SQL injection patterns in query strings. These are not permanent solutions and should be treated as stopgaps until the plugin is patched.
Has this vulnerability been exploited in the wild?
As of the published date, CVE-2026-9757 is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation or in-the-wild attacks known at that time. However, the ease of exploitation means defensive measures should be implemented promptly.
This analysis is provided for informational purposes and represents the state of publicly available information as of the CVE publication date. While we have taken care to ensure accuracy, SEC.co makes no warranty regarding the completeness or applicability of this guidance to your specific environment. Always verify vulnerability details, patch availability, and compatibility requirements directly with the official GEO my WP vendor documentation and your internal change management process. Implement patches only after thorough testing in a non-production environment. If you have been compromised or suspect active exploitation, contact incident response and law enforcement as appropriate for your jurisdiction. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access