Vulnerabilities and security researches forcf-geoplugin cf-geoplugin

Dec 11, 2025

CVE, Research URL: CVE-2025-62109
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: Dec 09, 2025
Research Description: Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through <= 8.9.4.
Affected versions: max 8.9.4.
Status: vulnerable

Sep 06, 2024

CVE, Research URL: CVE-2024-7381
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: Sep 05, 2024
Research Description: The Geo Controller plugin for WordPress is vulnerable to unauthorized shortcode execution due to missing authorization and capability checks on the ajax__shortcode_cache function in all versions up to, and including, 8.6.9. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes available on the target site.
Affected versions: max 8.7.0.
Status: vulnerable

CVE, Research URL: CVE-2024-7380
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: Sep 05, 2024
Research Description: The Geo Controller plugin for WordPress is vulnerable to unauthorized menu creation/deletion due to missing capability checks on the ajax__geolocate_menu and ajax__geolocate_remove_menu functions in all versions up to, and including, 8.6.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create or delete WordPress menus.
Affected versions: max 8.7.4.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-51513
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: -
Research Description: The Geo Controller plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 8.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 8.5.2.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: 47880aa7-17ce-490a-9aed-c4ff9113b52d
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: -
Research Description: Geo Controller [cf-geoplugin] < 8.6.5 CF Geo Plugin < 7.13.12 - Reflected Cross-Site Scripting The plugin does not escape the some parameter before outputting them back in admin pages, leading to a Reflected Cross-Site Scripting issue
Affected versions: max 8.6.5.
Status: vulnerable

CVE, Research URL: CVE-2024-3591
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: May 01, 2024
Research Description: The Geo Controller WordPress plugin before 8.6.5 unserializes user input via some of its AJAX actions and REST API routes, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
Affected versions: max 8.6.5.
Status: vulnerable

CVE, Research URL: CVE-2024-30227
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: Mar 28, 2024
Research Description: Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4.
Affected versions: max 8.6.5.
Status: vulnerable

CVE, Research URL: CVE-2024-30451
Home page URL: Security reports for Geo Controller
Application: Geo Controller
Date: Mar 29, 2024
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INFINITUM FORM Geo Controller allows Stored XSS.This issue affects Geo Controller: from n/a through 8.6.4.
Affected versions: max 8.6.5.
Status: vulnerable