WordPress Geo Mashup Plugin: Unauthenticated SQL Injection via 'object_ids'

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-89
WordPress Geo Mashup Plugin: Unauthenticated SQL Injection via 'object_ids'

The Geo Mashup plugin for WordPress, in all versions up to and including 1.13.18, is vulnerable to time-based SQL injection. The National Vulnerability Database (NVD) reports this critical flaw (CVE-2026-4062) stems from insufficient escaping on user-supplied parameters, specifically ‘object_ids’ and ‘exclude_object_ids’. While esc_sql() is applied, it’s ineffective because values are used within an unquoted IN(...) / NOT IN(...) SQL context, which esc_sql() doesn’t protect against.

Adding to the problem, a numeric-only sanitizer in sanitize_query_args() is only used in AJAX requests, not in core paths like render-map.php or template tags. This oversight allows unauthenticated attackers to append malicious SQL queries to existing ones. The NVD indicates this can lead to extracting sensitive database information through a time-based blind SQL injection attack, posing a significant risk to data confidentiality.

With a CVSS score of 7.5 (High), this vulnerability highlights a common pitfall in web application security: relying on incomplete sanitization. Attackers will leverage these direct database access vectors to exfiltrate user data, configuration details, or even pivot to further compromise the underlying server. Defenders need to understand that esc_sql() is not a silver bullet against all SQL injection vectors.

What This Means For You

  • If your organization uses the Geo Mashup plugin for WordPress, you are exposed. Immediately audit your WordPress installations for versions up to 1.13.18. This is an unauthenticated SQL injection, meaning any attacker can exploit it without credentials. Assume compromise if you're running vulnerable versions and audit your database logs for unusual activity.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

WordPress Geo Mashup Plugin Unauthenticated SQL Injection - CVE-2026-4062

Sigma YAML — free preview 
title: WordPress Geo Mashup Plugin Unauthenticated SQL Injection - CVE-2026-4062
id: scw-2026-05-02-ai-1
status: experimental
level: high
description: |
  Detects unauthenticated SQL injection attempts targeting the Geo Mashup plugin in WordPress (CVE-2026-4062). The rule looks for requests to 'render-map.php' containing 'object_ids' or 'exclude_object_ids' parameters that also include SQL syntax indicative of time-based blind SQL injection, such as parentheses and SQL sleep/delay functions. This bypasses basic escaping by exploiting the unquoted IN() context.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-4062/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-content/plugins/geo-mashup/render-map.php'
      cs-uri-query|contains:
          - 'object_ids='
          - 'exclude_object_ids='
      cs-uri-query|contains:
          - ')'
      cs-uri-query|contains:
          - 'SLEEP('
      cs-uri-query|contains:
          - 'WAITFOR DELAY'
      condition: cs-uri AND cs-uri-query
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-4062 SQLi Geo Mashup plugin for WordPress versions <= 1.13.18
CVE-2026-4062 SQLi Vulnerable parameters: 'object_ids', 'exclude_object_ids'
CVE-2026-4062 SQLi Vulnerable code paths: `render-map.php`, template tag code paths
CVE-2026-4062 SQLi CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7628 — CrazyrabbitLTC Mcp-Code-Review-Server Command Injection

CVE-2026-7628 — A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-6817 — Cross-Site Scripting (XSS)

CVE-2026-6817 — The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to,...

vulnerabilityCVEmedium-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /MEDIUM /5.8 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to

CVE-2026-6525 — IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.5 /⚑ 2 IOCs /⚙ 2 Sigma