External risk intelligence

GEO my WP WordPress Plugin SQL Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-15300

The vulnerability exists in a WordPress plugin designed for location-based search and proximity filtering. These features are typically exposed on public-facing web pages to allow visitors to search for locations or view maps, making the vulnerable parameters reachable by any user accessing the website.

SQL Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability was identified in the GEO my WP plugin for WordPress, which could allow an attacker to inject malicious code. This issue stems from how the plugin handles location search parameters, potentially enabling unauthorized access and modification of data within the WordPress environment. The main concern is confirming relevance and exposure to affected systems.

  • Plugin flaw allows code injection on WordPress sites.
  • Critical flaw impacts location search and data integrity.
  • Confirm plugin usage and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a specially crafted request to a WordPress site running the vulnerable plugin. This request would target the plugin's location search functionality, injecting malicious data into parameters that are not properly sanitized before being used in a database query. This could lead to unauthorized access or modification of the site's data.

  • No authentication required.
  • Malicious input in search parameters.
  • Data corruption and unauthorized access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to manipulate database queries when specific location search parameters are present. This manipulation might lead to unexpected service behavior. The advisory does not indicate that sensitive information, PII, or system data are directly exposed or modified.

  • Database query manipulation.
  • Via manipulated location search parameters.
  • Unexpected plugin behavior.

Operational Fix

Recommended remediation, mitigation, and detection steps

Infrastructure and application teams managing WordPress sites with the GEO my WP plugin are responsible for addressing this critical SQL injection vulnerability. The first practical step is to identify all instances of the plugin, confirm its exposure to external users, and determine business criticality before planning remediation.

  • WordPress site owners.
  • Verify plugin deployment and reachability.
  • Plan and execute the update.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the GEO my WP plugin used for in WordPress?

GEO my WP is a WordPress plugin that adds location-based functionality to a website. It is primarily used to power proximity searches, allowing site visitors to find posts, store locations, or other content based on their physical distance or geographic coordinates.

How does CVE-2026-15300 relate to SQL injection?

This vulnerability falls under the CWE-89 weakness class, which involves improper neutralization of special elements used in an SQL command. In this CVE, the plugin fails to properly validate numeric inputs for location searches. Because the code treats these inputs as numbers without strict type checking, an attacker can inject malicious database commands that bypass standard security filters.

Do I need to be logged in to trigger this vulnerability?

No, authentication is not required to trigger the issue. The vulnerability is reachable via standard URL parameters. However, the bug is only triggered when the plugin processes specific proximity-search requests using the distance, latitude, or longitude fields; simple page loads or site visits that do not invoke these search features do not activate the flawed query logic.

Is my site relevant if it uses GEO my WP?

According to Halo Surface Signal, relevance is high because this plugin is designed for public-facing maps and search bars. Since these features are meant to be accessed by visitors, the vulnerable parameters are often reachable by anyone on the internet, increasing the likelihood that an attacker could attempt to manipulate your database.

When should I update my GEO my WP plugin?

You should prioritize updating to version 4.5.5 or higher immediately. Since this is a critical database vulnerability, your first step is to audit your WordPress environment to identify all active installations of the plugin. Once identified, apply the vendor-provided update, which introduces numeric casting and validation to neutralize malicious inputs before they reach the database.

References