CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-15300

criticalCVSS 9.1covered by 1 sourcefirst seen 2026-07-10
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw_locations_query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc_sql() only escapes string delimiters and these positions are numeric, payloads such as 1 OR SLEEP(3) survived sanitization. Fixed in 4.5.5 by adding an upstream is_numeric() guard that short-circuits the WHERE clause to AND 1 = 0 when either coordinate is non-numeric, and by replacing the three esc_sql() calls with (float) casts.

⚡ Watch CVE-2026-15300

Get an email if CVE-2026-15300 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-15300

CVE.org record

Embed the live status

CVE-2026-15300 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-15300 status](https://www.csirts.com/badge/CVE-2026-15300)](https://www.csirts.com/cve/CVE-2026-15300)