How is CVE-2026-9757 exploited?

Network reachability (required): The attacker must reach the WordPress site hosting the vulnerable Posts Locator shortcode over the network (AV:N). Authentication (not-required): No account or session is needed; any anonymous visitor can send the crafted query string (PR:N). Victim interaction (not-required): Exploitation is a direct request to the vulnerable endpoint and does not depend on any user action (UI:N). Attack complexity (info): Attack complexity is low: the injection is reliable as long as the site exposes the [gmw form="results"] shortcode and has at least one published post with a gmw_location row (AC:L).

What is the impact of CVE-2026-9757?

Reads arbitrary rows from the WordPress database, including wp_users password hashes, email addresses, and user_meta entries. Extracts session tokens, password reset keys, and any application secrets stored in wp_options. Enables enumeration of private post content and customer or member data held in plugin tables. Confidentiality impact only; the injection path does not modify rows or disrupt service availability (I:N/A:N).

Back to search

HIGHCVE-2026-9757Published 2026-05-30Modified 2026-05-30CNA Wordfence

CVE-2026-9757: GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Unauthenticated SQL injection in the GEO my WP WordPress plugin (versions up to and including 4.5.5). The bug is reachable over the network without authentication because the plugin reads the swlatlng and nelatlng parameters directly from QUERY_STRING via parse_str(), bypassing WordPress's wp_magic_quotes filtering, then interpolates the comma-split fragments straight into a SQL BETWEEN clause with no numeric validation or prepared-statement use. Successful exploitation lets an attacker append arbitrary SQL to read sensitive data from the WordPress database such as user records and session data. No fix version has been published; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as one is available upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against WordPress images and plugin payloads in customer registries and CI pipelines, including custom-built images that bundle GEO my WP.

Available

Triage

Triage is available with the published CVSS 3.1 score of 7.5 (High) weighted against each customer's compliance policy, so an internet-facing WordPress site running the Posts Locator shortcode is routed to the right inbox inside each customer org with the appropriate urgency.

Available

Patch

No upstream fix has shipped for GEO my WP at or below 4.5.5. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment the maintainer publishes a fixed version, with auto-remediation customers receiving a rebuild, regression run, and a PR opened against affected workloads at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress site hosting the vulnerable Posts Locator shortcode over the network (AV:N).
AuthenticationNot required
No account or session is needed; any anonymous visitor can send the crafted query string (PR:N).
Victim interactionNot required
Exploitation is a direct request to the vulnerable endpoint and does not depend on any user action (UI:N).
Attack complexityDetail
Attack complexity is low: the injection is reliable as long as the site exposes the [gmw form="results"] shortcode and has at least one published post with a gmw_location row (AC:L).

Blast Radius

Reads arbitrary rows from the WordPress database, including wp_users password hashes, email addresses, and user_meta entries.
Extracts session tokens, password reset keys, and any application secrets stored in wp_options.
Enables enumeration of private post content and customer or member data held in plugin tables.
Confidentiality impact only; the injection path does not modify rows or disrupt service availability (I:N/A:N).

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the GEO my WP advisory with automatic surfacing of a patched-image rebuild as soon as the maintainer publishes a fix. In the meantime, compensating-control guidance is available, including removing or gating the [gmw form="results"] shortcode on public pages, adding a WAF rule that rejects swlatlng or nelatlng values containing non-numeric characters or commas beyond a single pair, and isolating the WordPress workload with network policy and egress filtering so a successful injection cannot reach internal services. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads are triggered automatically the moment an upstream fix lands.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

ninjew / GEO my WP
≤ 4.5.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References