SQL Injection Vulnerability in GEO my WP Plugin for WordPress
CVE-2026-15300

9.1CRITICAL

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-15300?

The GEO my WP plugin for WordPress was susceptible to SQL Injection through the 'distance', 'lat', and 'lng' parameters, allowing attackers to exploit unvalidated user input. This vulnerability arises from the improper handling of data parsed from the query string, specifically when numeric values are directly interpolated into SQL queries without adequate sanitization. As a result, malicious payloads could bypass basic security measures, leading to potential unauthorized database exposure or manipulation. The issue was addressed in version 4.5.5 with the implementation of type checks and improved sanitization practices.

Affected Version(s)

GEO my WP 0 <= 4.5.4

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.