The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires the site to host the Posts Locator search-results shortcode (`[gmw form="results" form_id=N]`) on a public page and to have at least one published post with an associated gmw_location row.
The GEO my WP WordPress plugin versions up to 4.5.5 contain SQL injection vulnerabilities in the 'swlatlng' and 'nelatlng' parameters that allow unauthenticated attackers to extract sensitive database information. The vulnerability bypasses WordPress security protections by reading unsanitized input from QUERY_STRING and directly interpolating it into SQL BETWEEN clauses without proper validation or escaping.
تحتوي إضافة GEO my WP للإصدارات حتى 4.5.5 على ثغرة حقن SQL خطيرة في معاملات 'swlatlng' و 'nelatlng' التي تسمح للمهاجمين غير المصرح لهم باستخراج معلومات حساسة من قاعدة البيانات. تتجاوز الثغرة آليات الحماية في WordPress بقراءة المدخلات غير المعالجة من QUERY_STRING وإدراجها مباشرة في جمل SQL BETWEEN دون التحقق من الصحة أو الهروب.
The GEO my WP WordPress plugin versions up to 4.5.5 contain SQL injection vulnerabilities in the 'swlatlng' and 'nelatlng' parameters that allow unauthenticated attackers to extract sensitive database information. The vulnerability bypasses WordPress security protections by reading unsanitized input from QUERY_STRING and directly interpolating it into SQL BETWEEN clauses without proper validation or escaping.
Update GEO my WP plugin to version 4.5.6 or later immediately. If immediate patching is not possible, disable the Posts Locator search-results shortcode on public pages and implement Web Application Firewall (WAF) rules to block SQL injection patterns in the swlatlng and nelatlng parameters. Review database access logs for suspicious queries and audit user accounts for unauthorized access.
قم بتحديث إضافة GEO my WP إلى الإصدار 4.5.6 أو أحدث فوراً. إذا لم يكن التحديث الفوري ممكناً، قم بتعطيل اختصار Posts Locator على الصفحات العامة وتطبيق قواعد جدار الحماية لحجب أنماط حقن SQL. قم بمراجعة سجلات الوصول إلى قاعدة البيانات والتحقق من حسابات المستخدمين.