{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/geo-mashup-plugin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4061"}],"_cs_exploited":false,"_cs_products":["Geo Mashup plugin"],"_cs_severities":["high"],"_cs_tags":["sql-injection","wordpress","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Geo Mashup plugin for WordPress is vulnerable to time-based SQL injection, as detailed in CVE-2026-4061. This vulnerability affects all versions of the plugin up to and including 1.13.18. The root cause lies in the \u003ccode\u003eSearchResults\u003c/code\u003e hook, where the \u003ccode\u003emap_post_type\u003c/code\u003e parameter is mishandled. Specifically, the code first calls \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e, effectively removing WordPress\u0026rsquo;s magic quotes protection. Subsequently, the unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is directly concatenated into an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping using \u003ccode\u003eesc_sql()\u003c/code\u003e or \u003ccode\u003e$wpdb-\u0026gt;prepare()\u003c/code\u003e. While the \u0026lsquo;any\u0026rsquo; branch of the code correctly applies \u003ccode\u003earray_map('esc_sql', ...)\u003c/code\u003e, the alternative branch lacks this crucial sanitization step. Successful exploitation requires the Geo Search feature to be enabled in the plugin\u0026rsquo;s settings. This vulnerability allows unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive database information through time-based blind techniques.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a WordPress site using a vulnerable version of the Geo Mashup plugin (\u0026lt;= 1.13.18) with the Geo Search feature enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eSearchResults\u003c/code\u003e hook with a specially crafted \u003ccode\u003emap_post_type\u003c/code\u003e parameter containing SQL injection payload.\u003c/li\u003e\n\u003cli\u003eThe vulnerable code within the Geo Mashup plugin processes the POST request, removing magic quotes using \u003ccode\u003estripslashes_deep($_POST)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003emap_post_type\u003c/code\u003e value is then concatenated directly into an SQL query within an \u003ccode\u003eIN(...)\u003c/code\u003e clause without proper escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code executes within the database query, allowing the attacker to manipulate the query\u0026rsquo;s behavior.\u003c/li\u003e\n\u003cli\u003eThe attacker uses time-based SQL injection techniques (e.g., \u003ccode\u003eIF(condition, SLEEP(5), 0)\u003c/code\u003e) within the injected payload to infer information based on the response time.\u003c/li\u003e\n\u003cli\u003eBy repeatedly sending modified requests and observing the response times, the attacker can extract sensitive data, character by character, from the database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information such as usernames, passwords, API keys, or other confidential data stored in the WordPress database.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows unauthenticated attackers to extract sensitive information from the WordPress database. The severity of the impact depends on the sensitivity of the data stored in the database, but could include exposure of user credentials, confidential business data, or other sensitive information. Because it affects any installation with the Geo Search feature enabled, a large number of websites using the Geo Mashup plugin may be vulnerable. The CVSS v3.1 base score is 7.5, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Geo Mashup plugin to the latest version (later than 1.13.18) to patch CVE-2026-4061.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potential exploitation attempts targeting the vulnerable \u003ccode\u003eSearchResults\u003c/code\u003e hook using a malicious \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview web server logs for suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e (common AJAX endpoint in WordPress) containing potentially malicious SQL injection payloads in the \u003ccode\u003emap_post_type\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-02T12:16:16Z","date_published":"2026-05-02T12:16:16Z","id":"/briefs/2026-05-geo-mashup-sql-injection/","summary":"A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (\u003c= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.","title":"Geo Mashup WordPress Plugin Vulnerable to Time-Based SQL Injection (CVE-2026-4061)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-mashup-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Geo Mashup Plugin","version":"https://jsonfeed.org/version/1.1"}