CVE-2026-52715: WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability
Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unauthenticated SQL injection vulnerability affects the GEO my WordPress plugin at version 4.5.5 and earlier. The flaw is reachable over the network with no authentication required, and the attack succeeds reliably with no victim interaction needed. Successful exploitation gives an attacker read access to database contents and can partially disrupt service availability. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the GEO my WordPress plugin.
AvailableHarborGuard is capable of scoring this CVE at 9.3 CRITICAL using the published CVSS v3.1 vector and weighting it against each customer environment's compliance policy. Triage routing to the appropriate team inbox within each customer organization is available automatically based on those policy settings.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available immediately once the upstream maintainer ships a fix. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress HTTP service to exploit it.
- AuthenticationNot required
No account or session credentials are needed; the injection can be triggered by any unauthenticated HTTP request.
- Victim interactionNot required
The attacker does not need to involve or deceive any user; the request is sent directly to the server.
- Attack complexityDetail
The exploit is reliable and condition-free: no race conditions, memory layout dependencies, or special environmental factors are required.
Blast Radius
- Reads database contents including stored user records, geolocation data, plugin configuration, and any other tables accessible to the WordPress database user.
- Sensitive values such as password hashes, email addresses, and session tokens stored in the database are exposed to the attacker.
- Availability is partially degraded: the injection can produce malformed or resource-intensive queries that disrupt normal plugin and site operation.
- The scope is changed (CVSS S:C), meaning the impact can extend beyond the WordPress application itself to other data or services sharing the same database instance.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged at CRITICAL severity and is actively monitored across every ingest cycle. Because no upstream fix has been published, HarborGuard cannot yet offer a patched-image rebuild, but the advisory is re-evaluated each cycle so a rebuild becomes available the moment the GEO my WordPress maintainer ships a patch. In the meantime, customers can apply compensating controls through HarborGuard policy: network-policy isolation to restrict public access to the WordPress HTTP surface, egress filtering on the database tier to limit lateral exposure, and feature-flag or deployment-gate rules to flag any image containing plugin versions at or below 4.5.5 for mandatory review before promotion to production. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will trigger automatically once a fix version is published upstream.
- Eyal Fitoussi / GEO my WordPress≤ 4.5.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L