CVE-2026-2416

HIGH NUCLEI

Geo Mashup WordPress Plugin <1.13.17 - SQL Injection

Title source: llm

Description

The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (1)

github WORKING POC

by Sechunt3r · shellpoc

https://github.com/Sechunt3r/CVE-POCs/tree/main/CVE-2026-2416

View Code ZIP pw:eip

Nuclei Templates (1)

Geo Mashup <= 1.13.17 - SQL Injection

HIGHVERIFIEDby Shivam Kamboj

References (4)

[Product] https://plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.17/geo-mashup-db.php#L1530

[Product] https://plugins.trac.wordpress.org/browser/geo-mashup/tags/1.13.17/geo-mashup-db.php#L1701

[Product] https://plugins.trac.wordpress.org/changeset/3461591/geo-mashup

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/8ab5ca55-0a8a-45a8-9ab0-aa3bbfa85417?source=cve

Scores

CVSS v3 7.5

EPSS 0.1951

EPSS Percentile 95.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (1)

cyberhobo/Geo Mashup < 1.13.17

Published Feb 25, 2026

Tracked Since Feb 25, 2026