An unauthenticated SQL injection flaw in the GEO my WP plugin (versions ≤ 4.5.4) lets remote attackers inject SQL through proximity-search parameters, earning a CVSS score of 9.1 (Critical).
What Is It
CVE-2026-15300 is an unauthenticated SQL injection vulnerability (CWE-89) in the GEO my WP plugin for WordPress, affecting all versions up to and including 4.5.4. The distance, lat, and lng parameters are read from $_SERVER['QUERY_STRING'] via parse_str(), which bypasses WordPress's wp_magic_quotes because that protection does not cover $_SERVER. The values are then passed through a bare esc_sql() call before being interpolated into unquoted numeric positions in the proximity-search query built by gmw_locations_query(). Because esc_sql() only escapes string delimiters and these are numeric positions, payloads such as 1 OR SLEEP(3) survive sanitization.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.1 (Critical), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H. It is exploitable over the network, requires low attack complexity, and needs no privileges or user interaction; meaning any anonymous visitor can reach it. The impact rates HIGH for both integrity and availability, giving attackers a path to manipulate database contents and degrade site availability.
What's Vulnerable
- Vendor: ninjew
- Product: GEO my WP (WordPress plugin)
- Affected versions: 0 through 4.5.4 (inclusive)
- Injection points: the
distance,lat, andlngquery parameters flowing into the HAVING/SELECT distance math and the BETWEEN bounding-box pre-filter inplugins/posts-locator/includes/class-gmw-wp-query.php
Patch Status
Fixed in version 4.5.5. The patch adds an upstream is_numeric() guard that short-circuits the WHERE clause to AND 1 = 0 when either coordinate is non-numeric, and replaces the three esc_sql() calls with (float) casts. Users should update to 4.5.5 or later immediately. No CISA KEV entry was supplied, so active exploitation is not confirmed by this source material.