SpirityCVE

Vendors	Products
Cyberhobo	Geo Mashup
Wordpress	Wordpress

Link	Providers
https://www.spirityenterprise.com/pentest
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152
https://plugins.trac.wordpress.org/changeset/3503627/
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve

Type	Values Removed	Values Added
First Time appeared		Cyberhobo Cyberhobo geo Mashup Wordpress Wordpress wordpress
Vendors & Products		Cyberhobo Cyberhobo geo Mashup Wordpress Wordpress wordpress

Type	Values Removed	Values Added
Description		The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.
Title		Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152 https://plugins.trac.wordpress.org/changeset/3503627/ https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4061", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T17:28:38.631Z", "datePublished": "2026-05-02T11:16:10.948Z", "dateUpdated": "2026-05-02T11:16:10.948Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-05-02T11:16:10.948Z"}, "affected": [{"vendor": "cyberhobo", "product": "Geo Mashup", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.13.18", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings."}], "title": "Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748"}, {"url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39"}, {"url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152"}, {"url": "https://plugins.trac.wordpress.org/changeset/3503627/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Naoya Takahashi"}], "timeline": [{"time": "2026-03-12T17:48:47.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-05-01T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings."}], "id": "CVE-2026-4061", "lastModified": "2026-05-02T12:16:16.200", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-05-02T12:16:16.200", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3503627/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object