SYS::ONLINE
Wasteland.
Briefs1149
Issues18
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-15300 2026-07-10

CVE-2026-15300: Critical SQL Injection in GEO my WP WordPress Plugin

"An unauthenticated SQL injection flaw in the GEO my WP plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through proximity-search parameters, earning a CVSS score of 9.1 (Critical)."

An unauthenticated SQL injection flaw in the GEO my WP plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through proximity-search parameters, earning a CVSS score of 9.1 (Critical).

What Is It

CVE-2026-15300 is an unauthenticated SQL injection vulnerability (CWE-89) in the GEO my WP plugin for WordPress, affecting all versions up to and including 4.5.4. The distance, lat, and lng parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), which bypasses WordPress's wp_magic_quotes because that protection does not cover $_SERVER. The values are then passed through a bare esc_sql() call before being interpolated into unquoted numeric positions in the proximity-search query built by gmw_locations_query(). Because esc_sql() only escapes string delimiters and these are numeric positions, payloads such as 1 OR SLEEP(3) survive sanitization.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.1 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. It is exploitable over the network, requires low attack complexity, and needs no privileges or user interaction; meaning any anonymous visitor can reach it. The impact rates HIGH for both integrity and availability, giving attackers a path to manipulate database contents and degrade site availability.

What's Vulnerable

Patch Status

Fixed in version 4.5.5. The patch adds an upstream is_numeric() guard that short-circuits the WHERE clause to AND 1 = 0 when either coordinate is non-numeric, and replaces the three esc_sql() calls with (float) casts. Users should update to 4.5.5 or later immediately. No CISA KEV entry was supplied, so active exploitation is not confirmed by this source material.

Sources