Time-Based SQL Injection in Geo Mashup by WordPress
CVE-2026-4061

7.5HIGH

Key Information:

Vendor: WordPress
Status: Geo Mashup
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-4061?

A vulnerability exists in the Geo Mashup plugin for WordPress that allows for Time-Based SQL Injection through the 'map_post_type' parameter. The issue arises due to an improper handling of user-supplied input where the 'SearchResults' hook calls stripslashes_deep($_POST), inadvertently removing protections against SQL injection. As a result, the unsanitized 'map_post_type' parameter is directly incorporated into an SQL query without appropriate safety measures, enabling unauthenticated attackers to manipulate queries and extract sensitive information from the database. This vulnerability is primarily exploitable when the Geo Search feature is enabled within the plugin settings.

Affected Version(s)

Geo Mashup 0 <= 1.13.18

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/geo-mashup/tru...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Naoya Takahashi

CVE-2026-4061 Data

JSON