{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/geo-my-wp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-15300"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["GEO my WP plugin \u003c= 4.5.4"],"_cs_severities":["critical"],"_cs_tags":["wordpress","plugin","sql-injection","vulnerability","webserver"],"_cs_type":"advisory","_cs_vendors":["GEO my WP","WordPress"],"content_html":"\u003cp\u003eA critical SQL Injection vulnerability, CVE-2026-15300, has been identified in the GEO my WP plugin for WordPress, affecting versions up to and including 4.5.4. This flaw allows unauthenticated attackers to inject malicious SQL payloads through the 'distance', 'lat', and 'lng' parameters within HTTP GET requests. The vulnerability stems from values being read directly from \u003ccode\u003e$_SERVER['QUERY_STRING']\u003c/code\u003e via \u003ccode\u003eparse_str()\u003c/code\u003e, which bypasses standard WordPress input sanitization functions like \u003ccode\u003ewp_magic_quotes\u003c/code\u003e. Although these values were subsequently passed through \u003ccode\u003eesc_sql()\u003c/code\u003e, this function inadequately sanitized the input for its eventual interpolation into unquoted numeric positions within the plugin's proximity-search queries. This allowed payloads such as \u003ccode\u003e1 OR SLEEP(3)\u003c/code\u003e to execute successfully on the database. Successful exploitation could lead to information disclosure, denial of service, or potentially remote code execution on the underlying database server. The issue was patched in version 4.5.5 by introducing \u003ccode\u003eis_numeric()\u003c/code\u003e checks and \u003ccode\u003e(float)\u003c/code\u003e casts for the affected parameters.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a WordPress website running a vulnerable version of the GEO my WP plugin (version 4.5.4 or earlier).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting a vulnerable endpoint of the GEO my WP plugin, appending a malicious SQL payload to the \u003ccode\u003edistance\u003c/code\u003e, \u003ccode\u003elat\u003c/code\u003e, or \u003ccode\u003elng\u003c/code\u003e URL parameters (e.g., \u003ccode\u003e/wp-admin/admin-ajax.php?action=gmw_get_locations\u0026amp;distance=1%20OR%20SLEEP(3)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable plugin code processes the request, reading the crafted parameters directly from \u003ccode\u003e$_SERVER['QUERY_STRING']\u003c/code\u003e via \u003ccode\u003eparse_str()\u003c/code\u003e, thereby bypassing \u003ccode\u003ewp_magic_quotes\u003c/code\u003e which would typically mitigate such injection attempts.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eesc_sql()\u003c/code\u003e function is applied to the parameter values; however, it fails to adequately sanitize the malicious payload because the input is destined for unquoted \u003cem\u003enumeric\u003c/em\u003e positions within the subsequent SQL query, allowing payloads like \u003ccode\u003eOR SLEEP(3)\u003c/code\u003e to persist.\u003c/li\u003e\n\u003cli\u003eThe unsanitized SQL payload is directly interpolated into the \u003ccode\u003eHAVING\u003c/code\u003e or \u003ccode\u003eSELECT\u003c/code\u003e clause of the database's proximity-search query (e.g., \u003ccode\u003eSELECT ..., (some_calc) AS distance FROM ... HAVING distance BETWEEN 0 AND 1 OR SLEEP(3)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe backend database server executes the injected SQL command, leading to the attacker's desired effect, such as delaying the response to cause a denial of service, or executing more complex queries for data exfiltration or remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15300 can lead to severe consequences for affected WordPress sites. Attackers can leverage SQL injection to gain unauthorized access to sensitive data stored in the database, including user credentials, personal information, and website configurations. Depending on the database configuration and the specific injected payload, attackers might achieve full database compromise, data manipulation, or even remote code execution on the underlying server. Furthermore, denial-of-service attacks, such as those employing \u003ccode\u003eSLEEP()\u003c/code\u003e commands, can significantly degrade website performance or render it temporarily unavailable, severely disrupting business operations and damaging organizational reputation. While specific victim counts are not provided, the widespread use of WordPress and its plugins suggests a broad potential impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch all WordPress installations using the GEO my WP plugin to version 4.5.5 or later to remediate CVE-2026-15300 immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-15300 Exploitation - GEO my WP SQL Injection\u003c/code\u003e to your SIEM to detect attempted exploitation of this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server access logging, including full URI query strings, to allow for detection and forensic analysis of exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) in front of WordPress instances to filter and block suspicious requests targeting \u003ccode\u003edistance\u003c/code\u003e, \u003ccode\u003elat\u003c/code\u003e, or \u003ccode\u003elng\u003c/code\u003e parameters with SQL injection payloads.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T05:18:49Z","date_published":"2026-07-10T05:18:49Z","id":"https://feed.craftedsignal.io/briefs/2026-07-geo-my-wp-sqli/","summary":"A critical SQL Injection vulnerability, identified as CVE-2026-15300, was found in the GEO my WP plugin for WordPress, affecting versions up to and including 4.5.4, allowing attackers to inject SQL payloads through the 'distance', 'lat', and 'lng' parameters, leading to potential data compromise or denial of service.","title":"CVE-2026-15300: Critical SQL Injection in GEO my WP WordPress Plugin","url":"https://feed.craftedsignal.io/briefs/2026-07-geo-my-wp-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed - GEO My WP","version":"https://jsonfeed.org/version/1.1"}