Geo Mashup WordPress Plugin Time-Based SQL Injection Vulnerability

A time-based SQL injection vulnerability has been identified in the Geo Mashup plugin for WordPress, affecting all versions through 1.13.18. The vulnerability arises from the 'map_post_type' parameter, which is processed by the 'SearchResults' hook. This hook removes WordPress's magic quotes protection and then incorporates the unsanitized 'map_post_type' value into an SQL 'IN(...)' clause without proper escaping. While the 'any' branch of the code correctly sanitizes the input, the else branch does not, allowing unauthenticated attackers to inject additional SQL queries. Exploitation of this vulnerability could lead to the extraction of sensitive database information using a time-based blind SQL injection technique. The Geo Search feature must be enabled in the plugin settings for the vulnerability to be exploited.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries to extract sensitive information from the database.

Reproduction

To reproduce this vulnerability, first ensure that the Geo Mashup plugin is installed and activated on a WordPress site. Then, navigate to the plugin's settings and enable the Geo Search feature. Once this is done, send a POST request to a page that uses the 'SearchResults' hook, including the 'map_post_type' parameter with an unsanitized value. The injected SQL will be executed, allowing for the extraction of database information.

Remediation

Users are advised to update the Geo Mashup plugin to version 1.13.19 or later, where this vulnerability has been patched.