cbcvebase.

Cyberhobo Geo Mashup vulnerabilities

12 known vulnerabilities affecting cyberhobo/geo_mashup.

Total CVEs
12
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL1HIGH4MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2022-4974P2MEDIUMCVSS 6.3Exploitedfixed in 1.13.62024-10-16
CVE-2022-4974 [MEDIUM] CWE-862 CVE-2022-4974: The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cr The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to missing capability checks and nonce protection on the _get_debug_log, _get_db_option, and the _set_db_option functions in versions up to, and including 2.4.2. Any WordPress plugin or theme runni
nvd
CVE-2026-2416P2HIGHCVSS 7.5PoC≤ 1.13.172026-02-25
CVE-2026-2416 [HIGH] CWE-89 CVE-2026-2416: The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all v The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries i
nvd
CVE-2026-4062P3HIGHCVSS 7.5≤ 1.13.182026-05-02
CVE-2026-4062 [HIGH] CWE-89 CVE-2026-4062: The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' a The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_ids' parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is
nvd
CVE-2026-4060P3HIGHCVSS 7.5≤ 1.13.182026-05-02
CVE-2026-4060 [HIGH] CWE-89 CVE-2026-4060: The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' paramet The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` con
nvd
CVE-2026-4061P3HIGHCVSS 7.5≤ 1.13.182026-05-02
CVE-2026-4061 [HIGH] CWE-89 CVE-2026-4061: The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being conca
nvd
CVE-2018-14071P3CRITICALCVSS 9.8fixed in 1.10.42018-07-16
CVE-2018-14071 [CRITICAL] CWE-20 CVE-2018-14071: The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of post editor and o The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of post editor and other user input.
nvd
CVE-2026-6457P3MEDIUMCVSS 6.5≤ 1.13.192026-05-02
CVE-2026-6457 [MEDIUM] CWE-89 CVE-2026-6457: The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mas The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and including, 1.13.19 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with su
nvd
CVE-2026-7552P4MEDIUMCVSS 5.3≤ 1.13.192026-05-28
CVE-2026-7552 [MEDIUM] CWE-862 CVE-2026-7552: The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to expose sensitive plugin configuration data, including Google Maps API keys and
nvd
CVE-2024-8990P4MEDIUMCVSS 6.4≤ 1.13.132024-10-01
CVE-2024-8990 [MEDIUM] CWE-79 CVE-2024-8990: The Geo Mashup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ge The Geo Mashup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's geo_mashup_visible_posts_list shortcode in all versions up to, and including, 1.13.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access
nvd
CVE-2024-13362P4MEDIUMCVSS 6.1≤ 1.13.152026-05-01
CVE-2024-13362 [MEDIUM] CWE-79 CVE-2024-13362: Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via th Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into perfor
nvd
CVE-2024-44008P4MEDIUMCVSS 5.4fixed in 1.13.132024-09-17
CVE-2024-44008 [MEDIUM] CWE-79 CVE-2024-44008: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Stored XSS.This issue affects Geo Mashup: from n/a through <= 1.13.12.
nvd
CVE-2015-1383P4MEDIUMCVSS 4.3≤ 1.8.22015-02-02
CVE-2015-1383 [MEDIUM] CWE-79 CVE-2015-1383: Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1. Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search key.
nvd
Cyberhobo Geo Mashup vulnerabilities | cvebase