GEO my WP <= 4.5.5 Unauthenticated SQL Injection (CVE-2026-9757)

Vulnerability Overview Vulnerability Name: GEO my WP <= 4.5.5 - Unauthenticated SQL Injection via 'swlatlng' / 'nelatlng' Parameters CVE ID: CVE-2026-9757 CVSS Score: 7.5 (High) Published Date: May 29, 2026 Last Updated: May 30, 2026 Researcher: Naoya Takahashi (nakko) Affected Versions Affected Versions: GEO my WP <= 4.5.5 Fixed Versions: 4.5.5.1 or later Remediation Recommendation: Update to version 4.5.5.1 or later Vulnerability Description The GEO my WP plugin for WordPress contains an SQL injection vulnerability via the 'swlatlng' and 'nelatlng' parameters. This vulnerability exists in all versions, including 4.5.5. The parameters are read from via , bypassing WordPress's protection and overwriting , , , and . Each parameter is then split by , and the resulting fragments are directly inserted into the SQL clause in without any validation, casting, , or . This allows an unauthenticated attacker to append additional SQL queries to existing queries to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search results shortcode on a public page and have at least one published post with a row. References plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org plugins.trac.wordpress.org Additional Information Software Type: Plugin Software Alias: geo-my-wp (see wordpress.org) Fixed: Yes Fixed Version: 4.5.5.1 Recent Vulnerabilities GEO my WP <= 4.5.4 - Unauthenticated SQL Injection via 'distance' / 'lat' / 'lng' Parameters - CVE ID: CVE-2024-9757 - CVSS Score: 9.1 - Published Date: May 27, 2026 GEO my WordPress <= 4.5.0.4 - Missing Authorization via get_field_options_ajax - CVE ID: CVE-2024-54326 - CVSS Score: 5.4 - Published Date: December 11, 2024 GEO My WordPress <= 4.4.0.2 - Authenticated (Admin+) Arbitrary File Upload - CVE ID: CVE-2024-9422 - CVSS Score: 7.2 - Published Date: October 31, 2024 GEO my WordPress <= 4.5.0.3 - Reflected Cross-Site Scripting - CVE ID: CVE-2024-47327 - CVSS Score: 6.1 - Published Date: September 25, 2024 GEO my WordPress <= 4.5.0.1 - Unauthenticated Local File Inclusion - CVE ID: CVE-2024-6330 - CVSS Score: 9.8 - Published Date: July 29, 2024 GEO my WordPress <= 4.1 - Cross-Site Request Forgery - CVE ID: CVE-2024-32097 - CVSS Score: 4.3 - Published Date: April 11, 2024 GEO my WordPress <= 4.0.2 - Authenticated (Administrator+) SQL Injection - CVE ID: CVE-2023-52134 - CVSS Score: 6.6 - Published Date: December 28, 2023 GEO my WordPress <= 4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode - CVE ID: CVE-2023-5467 - CVSS Score: 6.4 - Published Date: October 9, 2023 More Information Wordfence Intelligence offers free personal and commercial API access Install Wordfence to get the latest vulnerability notifications immediately The Wordfence Intelligence vulnerability database is fully accessible and queryable for free Footer Information Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24/7 support, 365 days a year, with a 1-hour response time Copyright Information Copyright: © 2012-2026 Defiant Inc. All rights reserved Additional Links Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media Twitter Facebook LinkedIn Instagram Subscription Subscribe to news and updates Enter email address Agree to Terms of Service and Privacy Policy Additional Resources Products - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Support - Documentation - Learning Center - Free Support - Premium Support News - Blog - In The News - Vulnerability Advisories About - About Wordfence - Affiliate Program - Employment - Contact - Security - CVE-Request Form Stay Updated - Subscribe to news and updates - Enter email address - Agree to Terms of Service and Privacy Policy Additional Information Wordfence Intelligence offers free personal and commercial API access Install Wordfence to get the latest vulnerability notifications immediately The Wordfence Intelligence vulnerability database is fully accessible and queryable for free Footer Information Business Hours: 9am-8pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Response Time: 24/7 support, 365 days a year, with a 1-hour response time Copyright Information Copyright: © 2012-2026 Defiant Inc. All rights reserved Additional Links Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media Twitter Facebook LinkedIn Instagram Subscription Subscribe to news and updates Enter email address Agree to Terms of Service and Privacy Policy Additional Resources Products - Wordfence Free - Wordfence Premium - Wordfence Care - Wordfence Response - Wordfence CLI - Wordfence Intelligence - Wordfence Central Supp

Goal Reached Thanks to every supporter — we hit 100%!

GEO my WP <= 4.5.5 Unauthenticated SQL Injection (CVE-2026-9757)

More from this source