关键漏洞信息 漏洞名称: Unauthenticated SQL Injection via 'sort' Parameter CVE ID: CVE-2026-2416 CVSS Score: 7.5 (High) 受影响版本: Geo Mashup <= 1.13.17 修复版本: 1.13.18 公开发布日期: February 24, 2026 最后更新日期: February 25, 2026 研究人员: Nabil Irawan - Heroes Cyber Security 漏洞描述: Geo Mashup WordPress 插件通过'sort'参数对SQL注入漏洞敏感。这是由于对用户提供的参数不充分转义以及对现有SQL查询缺少足够的清理准备。这使得未经身份验证的攻击者可以将额外的SQL查询附加到已存在的查询中,从而可以从数据库中提取敏感信息。 其他相关漏洞 Geo Mashup <= 1.13.16 - Unauthenticated Local File Inclusion: CVE-2025-48293, CVSS 8.1 Geo Mashup <= 1.13.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via geo_mashup_visible_posts_list Shortcode: CVE-2024-8990, CVSS 6.4 Geo Mashup <= 1.13.12 - Authenticated (Contributor+) Stored Cross-Site Scripting: CVE-2024-44008, CVSS 6.5 Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get: CVE-2023-33999, CVSS 6.1 Freemius SDK <= 2.4.2 - Missing Authorization Checks: CVE-2022-4974, CVSS 6.3 Geo Mashup - < 1.10.4 - Cross-Site Scripting: CVE-2018-14071, CVSS 6.4 Geo Mashup < 1.8.3 - Cross-Site Scripting: CVE-2015-1383, CVSS 6.1