{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32368", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:10:59.411Z", "datePublished": "2026-03-13T11:42:06.228Z", "dateUpdated": "2026-04-29T09:51:57.878Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "geo-to-lat", "product": "Geo to Lat", "vendor": "delphiknight", "versions": [{"changes": [{"at": "1.1", "status": "unaffected"}], "lessThanOrEqual": "1.0.19", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:49.310Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.<p>This issue affects Geo to Lat: from n/a through <= 1.0.19.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from n/a through <= 1.0.19."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.878Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/geo-to-lat/vulnerability/wordpress-geo-to-lat-plugin-1-0-19-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress Geo to Lat plugin <= 1.0.19 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:29:37.170527Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:33:50.573Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T19:29:37.170527Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T19:29:37.910Z"}}], "cna": {"title": "WordPress Geo to Lat plugin <= 1.0.19 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "delphiknight", "product": "Geo to Lat", "versions": [{"status": "affected", "changes": [{"at": "1.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.19"}], "packageName": "geo-to-lat", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:49.310Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/geo-to-lat/vulnerability/wordpress-geo-to-lat-plugin-1-0-19-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from n/a through <= 1.0.19.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.<p>This issue affects Geo to Lat: from n/a through <= 1.0.19.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:57.878Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32368", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:51:57.878Z", "dateReserved": "2026-03-12T11:10:59.411Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:06.228Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in delphiknight Geo to Lat geo-to-lat allows Blind SQL Injection.This issue affects Geo to Lat: from n/a through <= 1.0.19."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') vulnerabilidad en delphiknight Geo to Lat geo-to-lat permite Inyecci\u00f3n SQL Ciega. Este problema afecta a Geo to Lat: desde n/a hasta &lt;= 1.0.19."}], "id": "CVE-2026-32368", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:51.027", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/geo-to-lat/vulnerability/wordpress-geo-to-lat-plugin-1-0-19-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.19]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Geo to Lat", "source": "cna", "vendor": "delphiknight"}, "product": "geo_to_lat", "vendor": "delphiknight"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T14:57:27.573182+00:00", "value": {"mitigation_remediation": ["Upgrade the WordPress Geo to Lat plugin to a version newer than 1.0.19 as soon as possible.", "If immediate upgrade is not feasible, temporarily disable or block the plugin to eliminate the attack surface.", "Review any custom code that interacts with the plugin or its database queries to ensure proper input sanitization and parameterization.", "Monitor database logs for unusual query patterns that may indicate attempts to exploit SQL injection vulnerabilities."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection (Blind)"}, "threat_synthesis": {"affected_systems": "WordPress sites installing the delphiknight Geo to Lat plugin with versions up to and including 1.0.19 are affected. The vulnerability applies to any installation that has not yet upgraded beyond that version threshold.", "description_and_impact": "The vulnerability exists in the WordPress Geo to Lat plugin and allows attackers to perform blind SQL injection through improper neutralization of special elements used in SQL commands (CWE-89). Enabling this flaw could let a remote attacker read, modify or delete sensitive database contents, leading to significant confidentiality and integrity compromise. The description emphasizes that the issue allows blind data extraction, indicating that the attacker can infer database contents via query responses rather than direct error messages, but can still achieve substantial data exposure.", "risk_and_exploitability": "The CVSS score of 8.5 indicates a high severity risk. EPSS score is below 1%, suggesting a low likelihood of exploitation in the current threat landscape, and the vulnerability is not listed in the CISA KEV catalog. The description reports a blind SQL injection, implying that an attacker can infer data from the database, but the exact attack vector (e.g., unauthenticated request, privileged user) is not explicitly stated, so it is inferred that exploitation may require access to the plugin\u2019s input parameters and potentially site or database access. Overall, the risk remains high due to the potential for data compromise should an attacker successfully exploit the flaw."}}}}, "created": "2026-03-16T09:34:40.265780+00:00", "updated": "2026-03-23T09:58:49.887706+00:00", "vendors": ["delphiknight", "delphiknight$PRODUCT$geo_to_lat", "wordpress", "wordpress$PRODUCT$wordpress"]}