An attacker who successfully exploits this flaw can read the entire WordPress database without any account or credentials, potentially exposing registered user data, hashed passwords, email addresses, and any personal information stored in the site's tables. For organizations operating e-commerce, membership, or lead-generation sites on WordPress, a successful extraction could trigger breach notification obligations under GDPR, state privacy laws, or HIPAA if health-related data is stored. Reputational and legal costs from a public disclosure of customer data exposure typically exceed the cost of patching by orders of magnitude.
You Are Affected If
You run GEO my WP plugin version 4.5.5 or earlier on any WordPress installation
The WordPress site has a page publicly accessible without authentication that includes the [gmw form="results" form_id=N] shortcode
At least one published post on the site has an associated gmw_location database row
No Web Application Firewall (WAF) is in place filtering or blocking malformed query string parameters
You have not yet updated to a patched version of the GEO my WP plugin once one is released by the vendor
Board Talking Points
A publicly known security flaw in a WordPress location plugin allows anyone on the internet to extract our website's database contents without logging in.
IT and security teams should identify and update or disable the affected plugin within 24 to 48 hours, following vendor patch availability.
Failure to act leaves customer data, credentials, and site infrastructure exposed to automated scanning and targeted theft with no authentication barrier.
GDPR — WordPress databases commonly store EU user personal data (names, emails, account records); unauthenticated database extraction constitutes a personal data breach requiring assessment under GDPR Article 33
CCPA — California consumer personal information stored in WordPress user tables is subject to breach notification if extracted by an unauthorized party
