How is CVE-2026-48967 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS. Authentication (required): A low-privilege account (subscriber level or equivalent) is sufficient; no administrative access is needed. Victim interaction (not-required): The attacker can trigger the SQL injection directly without any action from another user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

What is the impact of CVE-2026-48967?

An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, email addresses, and plugin configuration data. Database confidentiality impact is rated High, meaning sensitive records across the full WordPress schema are within reach of the injected query. The availability impact is rated Low; crafted queries can degrade database responsiveness or cause partial service disruption for legitimate users. No write or delete capability is indicated by the CVSS vector, so data modification and deletion are not directly enabled by this exploit path.

Back to search

HIGHCVE-2026-48967Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-48967: WordPress Geo Mashup plugin <= 1.13.19 - SQL Injection vulnerability

Q: What is CVE-2026-48967?

This is a SQL injection vulnerability in the WordPress Geo Mashup plugin, versions 1.13.19 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber-level account, making it accessible to any registered user on an affected WordPress site. Successful exploitation reads sensitive data from the underlying database and can also cause limited service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-48967 patched?

Because no upstream fix version has been published yet, HarborGuard re-checks the Patchstack advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as a patched version is confirmed.

Subscriber SQL Injection in Geo Mashup <= 1.13.19 versions.

CVSS v3.1: 8.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a SQL injection vulnerability in the WordPress Geo Mashup plugin, versions 1.13.19 and earlier. The flaw is reachable over the network and requires only a low-privilege subscriber-level account, making it accessible to any registered user on an affected WordPress site. Successful exploitation reads sensitive data from the underlying database and can also cause limited service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-48967 is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle the Geo Mashup plugin.

Available

Triage

HarborGuard scores this CVE at 8.5 HIGH using the CVSS v3.1 vector and applies each customer organization's compliance policy weighting before routing findings to the appropriate team inbox, so the right engineers see the alert without manual filtering.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the Patchstack advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as a patched version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site via HTTP or HTTPS.
AuthenticationRequired
A low-privilege account (subscriber level or equivalent) is sufficient; no administrative access is needed.
Victim interactionNot required
The attacker can trigger the SQL injection directly without any action from another user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

Blast Radius

An attacker reads arbitrary rows from the WordPress database, including stored user credentials, session tokens, email addresses, and plugin configuration data.
Database confidentiality impact is rated High, meaning sensitive records across the full WordPress schema are within reach of the injected query.
The availability impact is rated Low; crafted queries can degrade database responsiveness or cause partial service disruption for legitimate users.
No write or delete capability is indicated by the CVSS vector, so data modification and deletion are not directly enabled by this exploit path.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored against all customer images that include the Geo Mashup plugin, with no fix version currently available from the upstream author. HarborGuard re-evaluates the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically once an upstream release is confirmed. In the interim, customers can apply compensating controls within their environments: restricting subscriber-level registration on exposed WordPress sites, adding a web application firewall rule to block unsanitized query parameters on the affected plugin's endpoints, and isolating database network access via Kubernetes NetworkPolicy or equivalent to limit the blast radius if exploitation occurs. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will activate without manual steps the moment a fix version is available.

See how HarborGuard automates this

Affected packages

Dylan Kuhn / Geo Mashup
≤ 1.13.19

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified