Security Advisory · Published 2026-05-30
GEO my WP CVE-2026-9757: unauthenticated SQL injection on your WordPress map (5-minute check)
On May 30, 2026 Wordfence published CVE-2026-9757 — SQL injection in
the GEO my WP plugin (versions ≤ 4.5.5). Attackers can hit
swlatlng and nelatlng parameters without logging in, bypass
WordPress's normal request sanitization, and pull data straight out of your database.
You only need the plugin installed, a public page with the Posts Locator results shortcode,
and at least one geotagged post. That describes a lot of store locators, membership maps,
and "find a dealer" widgets — so check this before the weekend traffic spike.
TL;DR
- CVE: CVE-2026-9757 · CVSS 7.5 (High) · CWE-89 SQL injection
- Plugin: GEO my WP (geo-my-wp) ≤ 4.5.5
- Auth: none — unauthenticated
- PoC: public references on Wordfence / plugin Trac
- Fix: upgrade to the latest release from wordpress.org; remove the plugin if you do not use it
What breaks, in plain English
GEO my WP builds location search for WordPress. The vulnerable function
gmw_get_locations_within_boundaries_sql() reads map corner coordinates from
$_SERVER['QUERY_STRING'] through parse_str(). That path skips
WordPress's wp_magic_quotes protection (which only covers
$_GET, $_POST, and friends). The latitude/longitude fragments
are stitched into a SQL BETWEEN clause with no
$wpdb->prepare(), no esc_sql(), and no numeric validation.
A crafted query string appends attacker-controlled SQL and can leak usernames, password
hashes, options, and post content.
Exploitation is not theoretical-only: Wordfence lists Trac line references and marks exploit/PoC signal as present. Bots love unauthenticated SQLi on popular map plugins because the attack surface is a normal GET request to a public page.
Step 1 — Is GEO my WP installed?
Plugins → Installed Plugins → search GEO my WP or geo-my-wp. No match? You are not affected — close this tab.
From SSH:
cd /path/to/wordpress
wp plugin list | grep -i geo-my-wp Version 4.5.5 or lower is in the affected range. If you are already on a higher version released after May 30, 2026, still run the log checks below — you may have been probed before you patched.
Step 2 — Do you expose the vulnerable shortcode?
The advisory requires a public page hosting the Posts Locator results shortcode, roughly:
[gmw form="results" form_id=N], plus at least one published post with a
gmw_location row. Open the page in an incognito window. If visitors can run
a location search without logging in, assume the endpoint is reachable by attackers.
Step 3 — Grep access logs for probes
Look for map boundary parameters with SQL metacharacters:
grep -E 'swlatlng=|nelatlng=' /var/log/nginx/access.log* 2>/dev/null | grep -E "(%27|'|UNION|SELECT|sleep\()" | tail -40 On cPanel, use Metrics → Raw Access or your security plugin's live traffic view with the same strings. Bursts of unique IPs hitting the same URL with long query strings are worth saving for incident notes.
Step 4 — Patch or remove
- Full backup (files + database) before you touch production.
- Plugins → GEO my WP → Update to the newest version WordPress offers.
- If you stopped using the plugin years ago, deactivate and delete it — unused map code is still remote attack surface.
- Clear object cache / CDN cache so old JS bundles are not served from edge nodes.
Step 5 — After patch: quick integrity check
- Users → All Users — unexpected administrators or API-only accounts.
-
wp option get siteurlandhome— no redirects to unknown domains. -
Recent
wp-content/uploadsfiles you did not upload (especially.php,.phtml).
SQLi alone does not always mean a shell was dropped, but stolen admin hashes plus a password-reset flow are enough for a follow-up takeover. Rotate admin passwords if you saw successful injection patterns in logs.
If you need help
Our Quick Patch Call ($49) walks through version, logs, and update on your server in 30 minutes. If logs show exfiltration or new admin users, use the Compromise Check ($99) or the WordPress recovery guide.
Live CVE pushes: @ping7cve on Telegram or free email alerts.
FAQ — CVE-2026-9757
- Is CVE-2026-9757 unauthenticated?
- Yes. Attackers do not need a WordPress login if the vulnerable map shortcode is on a public page.
- Which GEO my WP versions are affected?
- Wordfence lists versions ≤ 4.5.5. Update to the latest release from wordpress.org.
- How do I check if my site was scanned?
- Grep access logs for
swlatlng=ornelatlng=with SQL-like payloads (see Step 3 above).