{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/geo-mashup-plugin--1.13.18/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4062"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin \u003c= 1.13.18"],"_cs_severities":["high"],"_cs_tags":["sqli","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress, in versions up to and including 1.13.18, contains a Time-Based SQL Injection vulnerability (CVE-2026-4062). The vulnerability exists within the \u0026lsquo;object_ids\u0026rsquo; and \u0026rsquo;exclude_object_ids\u0026rsquo; parameters. Insufficient escaping of user-supplied input, specifically within the \u003ccode\u003eIN(...)\u003c/code\u003e and \u003ccode\u003eNOT IN(...)\u003c/code\u003e SQL context, coupled with inadequate preparation of the existing SQL query, allows for the injection. The \u003ccode\u003eesc_sql()\u003c/code\u003e function is applied but is rendered ineffective due to its inability to protect against parenthesis or SQL keyword injection within the unquoted \u003ccode\u003eIN(...)\u003c/code\u003e / \u003ccode\u003eNOT IN(...)\u003c/code\u003e context. A numeric-only sanitizer exists in \u003ccode\u003esanitize_query_args()\u003c/code\u003e, but this is only applied in the AJAX code path and not in the \u003ccode\u003erender-map.php\u003c/code\u003e or template tag code paths. This flaw enables unauthenticated attackers to append malicious SQL queries, facilitating the extraction of sensitive information from the WordPress database through a time-based blind SQL injection technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies the vulnerable Geo Mashup plugin running on a WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a time-based SQL injection payload into the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameter. This payload leverages SQL functions like \u003ccode\u003eSLEEP()\u003c/code\u003e or \u003ccode\u003eBENCHMARK()\u003c/code\u003e to introduce delays based on conditional SQL logic.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code fails to properly sanitize the injected SQL code due to the ineffective \u003ccode\u003eesc_sql()\u003c/code\u003e function in the \u003ccode\u003eIN\u003c/code\u003e/\u003ccode\u003eNOT IN\u003c/code\u003e context.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is appended to the existing SQL query executed by the Geo Mashup plugin.\u003c/li\u003e\n\u003cli\u003eThe database server executes the combined query, including the injected time-based SQL injection.\u003c/li\u003e\n\u003cli\u003eThe attacker monitors the response time of the HTTP request. A delayed response indicates that the injected SQL logic evaluated to true.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending requests with different SQL injection payloads, the attacker can extract sensitive information from the database one character at a time.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to the complete compromise of the WordPress database. An attacker can extract sensitive information such as user credentials, API keys, configuration details, and other confidential data. This can result in data breaches, unauthorized access to the WordPress site, and potential further attacks on connected systems. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to a version greater than 1.13.18 to remediate CVE-2026-4062.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Geo Mashup Time-Based SQL Injection Attempts\u003c/code\u003e to identify potential exploitation attempts targeting the vulnerable parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads in the \u0026lsquo;object_ids\u0026rsquo; or \u0026rsquo;exclude_object_ids\u0026rsquo; parameters to detect exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sqli/","summary":"The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4062)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Geo Mashup Plugin \u003c= 1.13.18","version":"https://jsonfeed.org/version/1.1"}