SQL Injection Vulnerability in GEO my WP Plugin for WordPress
CVE-2026-15300
9.1CRITICAL
What is CVE-2026-15300?
The GEO my WP plugin for WordPress was susceptible to SQL Injection through the 'distance', 'lat', and 'lng' parameters, allowing attackers to exploit unvalidated user input. This vulnerability arises from the improper handling of data parsed from the query string, specifically when numeric values are directly interpolated into SQL queries without adequate sanitization. As a result, malicious payloads could bypass basic security measures, leading to potential unauthorized database exposure or manipulation. The issue was addressed in version 4.5.5 with the implementation of type checks and improved sanitization practices.
Affected Version(s)
GEO my WP 0 <= 4.5.4