WordPress Geo Mashup Plugin SQLi via 'sort' Parameter (CVE-2026-4060)

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
WordPress Geo Mashup Plugin SQLi via 'sort' Parameter (CVE-2026-4060)

The National Vulnerability Database has detailed CVE-2026-4060, a high-severity time-based SQL injection vulnerability affecting the Geo Mashup plugin for WordPress. This flaw, present in all versions up to and including 1.13.18, stems from insufficient escaping of the ‘sort’ parameter and inadequate preparation of existing SQL queries. An esc_sql() function is applied but proves ineffective within the ORDER BY context because the value is not properly quoted.

Critically, while version 1.13.18 introduced a sanitize_sort_arg() allowlist-based sanitizer, its implementation is limited. It’s only applied in the AJAX code path (sanitize_query_args()) and completely bypassed in the render-map.php and template tag code paths. This oversight creates a glaring blind spot for attackers.

This vulnerability allows unauthenticated attackers to append malicious SQL queries to existing ones. They can then exploit a time-based blind approach to extract sensitive information directly from the database. With a CVSS score of 7.5 (High), this is a critical weakness that site administrators cannot afford to ignore.

What This Means For You

  • If your organization uses the WordPress Geo Mashup plugin, you are exposed. Unauthenticated attackers can silently siphon sensitive data. Immediately check if you are running Geo Mashup and ensure it is updated past version 1.13.18, or disable it if updates are not available. This isn't theoretical; it's a direct path to data exfiltration.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1595.002 Vulnerability Scanning Reconnaissance T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

WordPress Geo Mashup Plugin SQLi via 'sort' Parameter - CVE-2026-4060

Sigma YAML — free preview 
title: WordPress Geo Mashup Plugin SQLi via 'sort' Parameter - CVE-2026-4060
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  Detects time-based SQL injection attempts targeting the Geo Mashup plugin for WordPress (CVE-2026-4060). The vulnerability lies in the 'sort' parameter, which is not properly sanitized in certain code paths, allowing attackers to inject SQL commands. This rule looks for common SQL injection patterns like CASE, IF, or SLEEP functions within the 'sort' parameter in the URI query string.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4060/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - 'sort=CASE'
          - 'sort=IF'
          - 'sort=SLEEP'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4060 SQLi Geo Mashup plugin for WordPress versions <= 1.13.18
CVE-2026-4060 SQLi Vulnerable parameter: 'sort'
CVE-2026-4060 SQLi Vulnerable context: ORDER BY clause
CVE-2026-4060 SQLi Vulnerable files: render-map.php, template tag code paths
CVE-2026-4060 SQLi Attack vector: Unauthenticated time-based blind SQL injection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7628 — CrazyrabbitLTC Mcp-Code-Review-Server Command Injection

CVE-2026-7628 — A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-6817 — Cross-Site Scripting (XSS)

CVE-2026-6817 — The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to,...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.8 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 2 Sigma