Live Active security incident? Get immediate response
CVE Record

CVE-2026-9757: GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row.

HighCVSS 7.5Not KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take high

Analyst readout for executives and security teams

Plain-English summary

This is an unauthenticated SQL injection in the GEO my WP WordPress plugin through public location-search parameters. Affected sites can expose sensitive database information if they use vulnerable plugin versions and a specific public Posts Locator results page.

Executive priority

Treat this as a high-priority website data exposure risk. Patch or disable affected locator pages quickly, especially on public WordPress sites with customer, user, or business-sensitive data in the database.

Technical view

The issue is in GEO my WP up to 4.5.5. Location boundary parameters are parsed from QUERY_STRING, split, and inserted into a SQL BETWEEN clause without numeric validation, casting, escaping, or prepared statements.

Likely exposure

Exposure is limited to WordPress sites running GEO my WP up to 4.5.5 with a public Posts Locator results shortcode and at least one published post linked to a gmw_location row.

Exploitation context

The CVE describes unauthenticated, network-reachable exploitation with low complexity and no user interaction. The provided bundle does not show CISA KEV listing or other evidence of active exploitation.

Researcher notes

The vulnerable path depends on QUERY_STRING parsing and direct interpolation into gmw_get_locations_within_boundaries_sql. Exposure prerequisites matter; not every GEO my WP installation is reachable through the described shortcode flow.

Mitigation direction

  • Upgrade GEO my WP beyond 4.5.5; the cited WordPress.org changes reference 4.5.5.1.
  • Review Wordfence and vendor guidance for the confirmed fixed release.
  • Temporarily remove public Posts Locator results pages if immediate upgrade is not possible.
  • Restrict access to affected locator pages until remediation is complete.
  • Monitor web logs for unusual requests containing swlatlng or nelatlng parameters.

Validation and detection

  • Inventory all WordPress sites for GEO my WP and record installed versions.
  • Find public pages containing the Posts Locator results shortcode.
  • Confirm whether published posts have associated gmw_location rows.
  • Verify upgraded code uses validation, casting, escaping, or prepared SQL for boundary values.
  • Review recent access logs for abnormal locator-parameter activity.
Prepared
Confidence
high
Sources
8

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-89: Database access and collection lookup

Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Database behavior lookup

The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-9757 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
High
CVSS
7.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1 CVSS vectors
5 Timeline events
1 ADP providers
8 Source links

SSVC decision data

CISA-ADP CISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

Score Version Severity Vector Exploit Impact Source
7.5 CVSS 3.1 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6 Wordfence

Vulnerability scoring details

Base CVSS 3.1 score

7.5 High
CVSS 3.1 vector shape for CVE-2026-9757 Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  2. Source timeline Wordfence

    Vendor Notified

  3. Source timeline Wordfence

    Disclosed

  4. CVE published CVE Program

    The CVE record was published.

  5. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADP CISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
ninjew GEO my WP 0 unaffected
Weakness

CWE details

CWE-89

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-89 · source CWE mapping

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Open CWE intelligence Same-CWE CVEs