CVE-2026-4061: Geo Mashup WordPress Plugin SQL Injection

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
CVE-2026-4061: Geo Mashup WordPress Plugin SQL Injection

The Geo Mashup plugin for WordPress, in all versions up to and including 1.13.18, is vulnerable to time-based SQL injection. The National Vulnerability Database reports this flaw, identified as CVE-2026-4061, stems from improper sanitization of the map_post_type parameter. Specifically, the SearchResults hook explicitly calls stripslashes_deep($_POST), bypassing WordPress’s magic quotes protection. Subsequently, the unsanitized map_post_type value is directly concatenated into an IN(...) SQL clause without using esc_sql() or $wpdb->prepare().

This oversight allows unauthenticated attackers to inject malicious SQL queries. By leveraging a time-based blind approach, they can extract sensitive information from the database. The National Vulnerability Database notes that exploitation is contingent on the Geo Search feature being enabled within the plugin settings. The vulnerability carries a CVSS score of 7.5 (High severity).

This is a fundamental failure in input validation, exacerbated by explicitly removing built-in protections. For defenders, it’s a stark reminder that even seemingly innocuous plugin parameters can harbor critical vulnerabilities when developers misunderstand or bypass core security functions. Attackers constantly probe for these exact scenarios, where a simple URL parameter can lead to full database compromise.

What This Means For You

  • If your organization uses the Geo Mashup plugin for WordPress, you are exposed. Check your plugin version immediately. If Geo Search is enabled, assume you are at high risk. Unauthenticated SQL injection is a direct path to data exfiltration. Patch or disable this plugin without delay. Audit logs for any suspicious activity related to the Geo Mashup plugin, especially around the `map_post_type` parameter.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component: Web Shell Persistence T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-4061: Geo Mashup WordPress Plugin SQL Injection via map_post_type

Sigma YAML — free preview 
title: CVE-2026-4061: Geo Mashup WordPress Plugin SQL Injection via map_post_type
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects a time-based SQL injection attempt targeting the Geo Mashup WordPress plugin (CVE-2026-4061). This rule specifically looks for POST requests to 'admin-ajax.php' with the 'geoMashup_search' action and a payload containing a time-based SQL injection pattern in the 'map_post_type' parameter, indicating an attempt to exploit the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4061/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'action=geoMashup_search'
  selection_post_data:
      query|contains:
          - "map_post_type=(SELECT * FROM (SELECT(SLEEP(5)))a)"
      condition: selection AND selection_post_data
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4061 SQLi Geo Mashup plugin for WordPress versions <= 1.13.18
CVE-2026-4061 SQLi Vulnerable parameter: 'map_post_type'
CVE-2026-4061 SQLi Vulnerable component: `SearchResults` hook
CVE-2026-4061 SQLi Attack vector: Time-Based Blind SQL Injection

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7628 — CrazyrabbitLTC Mcp-Code-Review-Server Command Injection

CVE-2026-7628 — A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-6817 — Cross-Site Scripting (XSS)

CVE-2026-6817 — The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to,...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.8 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 2 Sigma