{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/geo-my-wp-plugin--4.5.5/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-9757"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GEO my WP plugin \u003c= 4.5.5"],"_cs_severities":["high"],"_cs_tags":["cve","sqli","wordpress","plugin","geomywp"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe GEO my WP plugin, a WordPress plugin designed for location-based functionality, contains a SQL injection vulnerability (CVE-2026-9757) in versions up to and including 4.5.5. The vulnerability lies within the handling of the \u0026lsquo;swlatlng\u0026rsquo; and \u0026rsquo;nelatlng\u0026rsquo; parameters, which are used to define geographical boundaries for searches. These parameters are extracted from the \u003ccode\u003e$_SERVER['QUERY_STRING']\u003c/code\u003e array using \u003ccode\u003eparse_str()\u003c/code\u003e, bypassing the standard WordPress magic quotes protection, and are subsequently incorporated into a SQL query without proper sanitization or validation. This flaw enables unauthenticated attackers to inject arbitrary SQL code into the query, potentially leading to the extraction of sensitive data from the WordPress database. Successful exploitation requires the presence of the \u003ccode\u003e[gmw form=\u0026quot;results\u0026quot; form_id=N]\u003c/code\u003e shortcode on a publicly accessible page and at least one post with an associated \u003ccode\u003egmw_location\u003c/code\u003e entry.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious HTTP request targeting a WordPress page containing the \u003ccode\u003e[gmw form=\u0026quot;results\u0026quot; form_id=N]\u003c/code\u003e shortcode.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes the \u003ccode\u003eswlatlng\u003c/code\u003e and/or \u003ccode\u003enelatlng\u003c/code\u003e parameters in the URL\u0026rsquo;s query string, containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eWordPress\u0026rsquo;s \u003ccode\u003eparse_str()\u003c/code\u003e function parses the query string from \u003ccode\u003e$_SERVER['QUERY_STRING']\u003c/code\u003e, extracting the injected parameters. Critically, this bypasses \u003ccode\u003ewp_magic_quotes\u003c/code\u003e protection.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egmw_get_locations_within_boundaries_sql()\u003c/code\u003e function receives the unsanitized \u003ccode\u003eswlatlng\u003c/code\u003e and \u003ccode\u003enelatlng\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexplode()\u003c/code\u003e function splits the parameters by commas, creating fragments.\u003c/li\u003e\n\u003cli\u003eThese fragments are directly interpolated into a SQL \u003ccode\u003eBETWEEN\u003c/code\u003e clause within the \u003ccode\u003egmw_get_locations_within_boundaries_sql()\u003c/code\u003e function without any validation (e.g. \u003ccode\u003eis_numeric()\u003c/code\u003e), casting to float, or sanitization (e.g. \u003ccode\u003eesc_sql()\u003c/code\u003e or \u003ccode\u003e$wpdb-\u0026gt;prepare()\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information, such as user credentials or other plugin data, from the database using the injected SQL queries.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability (CVE-2026-9757) allows unauthenticated attackers to execute arbitrary SQL queries against the WordPress database. This can lead to the disclosure of sensitive information, including user credentials, database configurations, and other confidential data stored within the database. A successful attack could compromise the entire WordPress installation and potentially any other applications sharing the same database server. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the GEO my WP plugin to the latest version, which includes a fix for CVE-2026-9757.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-9757 Exploitation Attempt — GEO my WP SQL Injection\u0026rdquo; to your SIEM to detect exploitation attempts based on suspicious query string parameters.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing the \u003ccode\u003eswlatlng\u003c/code\u003e and \u003ccode\u003enelatlng\u003c/code\u003e parameters in the query string with SQL injection syntax, as detected by the Sigma rule above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-30T10:17:22Z","date_published":"2026-05-30T10:17:22Z","id":"https://feed.craftedsignal.io/briefs/2026-05-geo-my-wp-sqli/","summary":"The GEO my WP plugin for WordPress is vulnerable to SQL Injection (CVE-2026-9757) via the 'swlatlng' and 'nelatlng' parameters, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries into a BETWEEN clause.","title":"GEO my WP WordPress Plugin SQL Injection Vulnerability (CVE-2026-9757)","url":"https://feed.craftedsignal.io/briefs/2026-05-geo-my-wp-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — GEO My WP Plugin \u003c= 4.5.5","version":"https://jsonfeed.org/version/1.1"}