<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>GEO My WP Plugin &lt;= 4.5.4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/geo-my-wp-plugin--4.5.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 05:18:49 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/geo-my-wp-plugin--4.5.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-15300: Critical SQL Injection in GEO my WP WordPress Plugin</title><link>https://feed.craftedsignal.io/briefs/2026-07-geo-my-wp-sqli/</link><pubDate>Fri, 10 Jul 2026 05:18:49 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-geo-my-wp-sqli/</guid><description>A critical SQL Injection vulnerability, identified as CVE-2026-15300, was found in the GEO my WP plugin for WordPress, affecting versions up to and including 4.5.4, allowing attackers to inject SQL payloads through the 'distance', 'lat', and 'lng' parameters, leading to potential data compromise or denial of service.</description><content:encoded><![CDATA[<p>A critical SQL Injection vulnerability, CVE-2026-15300, has been identified in the GEO my WP plugin for WordPress, affecting versions up to and including 4.5.4. This flaw allows unauthenticated attackers to inject malicious SQL payloads through the 'distance', 'lat', and 'lng' parameters within HTTP GET requests. The vulnerability stems from values being read directly from <code>$_SERVER['QUERY_STRING']</code> via <code>parse_str()</code>, which bypasses standard WordPress input sanitization functions like <code>wp_magic_quotes</code>. Although these values were subsequently passed through <code>esc_sql()</code>, this function inadequately sanitized the input for its eventual interpolation into unquoted numeric positions within the plugin's proximity-search queries. This allowed payloads such as <code>1 OR SLEEP(3)</code> to execute successfully on the database. Successful exploitation could lead to information disclosure, denial of service, or potentially remote code execution on the underlying database server. The issue was patched in version 4.5.5 by introducing <code>is_numeric()</code> checks and <code>(float)</code> casts for the affected parameters.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a WordPress website running a vulnerable version of the GEO my WP plugin (version 4.5.4 or earlier).</li>
<li>The attacker crafts an HTTP GET request targeting a vulnerable endpoint of the GEO my WP plugin, appending a malicious SQL payload to the <code>distance</code>, <code>lat</code>, or <code>lng</code> URL parameters (e.g., <code>/wp-admin/admin-ajax.php?action=gmw_get_locations&amp;distance=1%20OR%20SLEEP(3)</code>).</li>
<li>The vulnerable plugin code processes the request, reading the crafted parameters directly from <code>$_SERVER['QUERY_STRING']</code> via <code>parse_str()</code>, thereby bypassing <code>wp_magic_quotes</code> which would typically mitigate such injection attempts.</li>
<li>The <code>esc_sql()</code> function is applied to the parameter values; however, it fails to adequately sanitize the malicious payload because the input is destined for unquoted <em>numeric</em> positions within the subsequent SQL query, allowing payloads like <code>OR SLEEP(3)</code> to persist.</li>
<li>The unsanitized SQL payload is directly interpolated into the <code>HAVING</code> or <code>SELECT</code> clause of the database's proximity-search query (e.g., <code>SELECT ..., (some_calc) AS distance FROM ... HAVING distance BETWEEN 0 AND 1 OR SLEEP(3)</code>).</li>
<li>The backend database server executes the injected SQL command, leading to the attacker's desired effect, such as delaying the response to cause a denial of service, or executing more complex queries for data exfiltration or remote code execution.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15300 can lead to severe consequences for affected WordPress sites. Attackers can leverage SQL injection to gain unauthorized access to sensitive data stored in the database, including user credentials, personal information, and website configurations. Depending on the database configuration and the specific injected payload, attackers might achieve full database compromise, data manipulation, or even remote code execution on the underlying server. Furthermore, denial-of-service attacks, such as those employing <code>SLEEP()</code> commands, can significantly degrade website performance or render it temporarily unavailable, severely disrupting business operations and damaging organizational reputation. While specific victim counts are not provided, the widespread use of WordPress and its plugins suggests a broad potential impact across various sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch all WordPress installations using the GEO my WP plugin to version 4.5.5 or later to remediate CVE-2026-15300 immediately.</li>
<li>Deploy the Sigma rule <code>Detect CVE-2026-15300 Exploitation - GEO my WP SQL Injection</code> to your SIEM to detect attempted exploitation of this vulnerability.</li>
<li>Enable comprehensive web server access logging, including full URI query strings, to allow for detection and forensic analysis of exploitation attempts.</li>
<li>Implement a Web Application Firewall (WAF) in front of WordPress instances to filter and block suspicious requests targeting <code>distance</code>, <code>lat</code>, or <code>lng</code> parameters with SQL injection payloads.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>sql-injection</category><category>vulnerability</category><category>webserver</category></item></channel></rss>