External risk intelligence

Unauthenticated SQL Injection in GEO my WordPress Plugin Versions 4.5.5 and Earlier

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-52715

An unauthenticated SQL injection vulnerability exists in the GEO my WordPress plugin. This could allow an attacker to execute arbitrary SQL commands, potentially leading to unauthorized access or manipulation of database information, affecting service availability.

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-52715

The vulnerability exists in a WordPress plugin. WordPress sites are frequently deployed as public-facing web applications, and plugins are integral components of these web services, making them commonly accessible via the internet.

PCI scan relevance

PCI Relevance for CVE-2026-52715

Yes

CVE-2026-52715 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability is PCI scan-relevant because it can lead to automatic failure in PCI ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in a widely used WordPress plugin that allows for the injection of malicious SQL code. This issue does not require authentication to exploit and could potentially lead to unauthorized access or manipulation of sensitive data stored within the WordPress database. The main concern at this time is to confirm if this plugin is in use and assess any potential exposure.

  • Unauthenticated SQL injection allows unauthorized database access.
  • Understand plugin usage to gauge potential business risk.
  • Confirm relevance and assess exposure to this plugin.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to a vulnerable WordPress site that has the Geo my WordPress plugin installed. This request targets the plugin's handling of geographic data, allowing the attacker to inject malicious SQL code. If successful, this injection can lead to unauthorized access to sensitive database information and potentially disrupt the site's functionality.

  • No authentication required.
  • SQL injection via crafted requests.
  • Database compromise and disruption.

Live Threat

Current exploitation, exposure, and threat context

This unauthenticated SQL injection vulnerability could allow an attacker to execute arbitrary SQL commands when supported by the advisory, potentially impacting database integrity and service availability.

  • Database integrity could be affected.
  • Unauthenticated network requests may trigger it.
  • Unauthorized data access or manipulation.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in GEO my WordPress impacts external-facing web applications. Owners of affected WordPress sites, likely managed by web application or platform teams, should first identify all instances of the plugin, confirm their public accessibility, and assess business criticality. Subsequent steps will depend on this initial exposure review and involve coordination with vendor-management if applicable, followed by planned remediation during a maintenance window or the implementation of temporary risk-reduction measures.

  • Application owners should verify plugin instances.
  • Confirm public reachability and business criticality.
  • Plan remediation or risk reduction.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the GEO my WordPress plugin?

GEO my WordPress is an extension for WordPress websites designed to add location-based features, such as mapping, proximity searches, and location management. It integrates directly into the WordPress ecosystem, allowing site administrators to provide geographic functionality to their users and visitors.

What does SQL injection mean for CVE-2026-52715?

This vulnerability is classified as CWE-89, or Improper Neutralization of Special Elements used in an SQL Command. In plain terms, it means the plugin fails to properly filter the data it receives before using it in database queries. This flaw allows an attacker to inject their own malicious database commands, which the system then executes, potentially exposing sensitive information or disrupting the site.

How can an attacker trigger this vulnerability?

An attacker triggers this bug by sending a specially crafted web request to the vulnerable site. Because the vulnerability does not require any user account or password, it can be triggered by anyone with network access to the site. Legitimate use of the plugin's standard geographic search features does not inherently trigger the bug; it requires the specific, malicious input designed to bypass the plugin's data validation.

Is my site at risk?

According to Halo Surface Signal, this vulnerability is particularly relevant to WordPress sites because they are often deployed as public-facing web applications. Since the plugin is a core component for geographic features on these sites, it is frequently accessible over the internet. If you are running version 4.5.5 or earlier of GEO my WordPress on a site that can be reached from the public web, your database may be reachable by unauthorized parties.

What should I do to respond to this threat?

Your first step is to perform an inventory of your WordPress installations to confirm if the GEO my WordPress plugin is active. Once identified, evaluate the criticality of the site and its exposure to the internet. Coordinate with your team to plan for a secure update or, if immediate patching is not possible, investigate temporary risk-reduction strategies to limit access to the affected components until a resolution is implemented.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished