Fatal error in posts-locator – Uncaught TypeError

An attacker is triggering fatal errors on a site by providing invalid lat/lng values

PHP Fatal error:  Uncaught TypeError: Unsupported operand types: string - float in /var/www/html/wp-content/plugins/geo-my-wp/plugins/posts-locator/includes/class-gmw-wp-query.php:309
Stack trace:
#0 /var/www/html/wp-includes/class-wp-hook.php(324): GMW_WP_Query::gmw_locations_query()
#1 /var/www/html/wp-includes/plugin.php(256): WP_Hook->apply_filters()
#2 /var/www/html/wp-includes/class-wp-query.php(3017): apply_filters_ref_array()
#3 /var/www/html/wp-includes/class-wp-query.php(3949): WP_Query->get_posts()
#4 /var/www/html/wp-includes/class-wp-query.php(4081): WP_Query->query()
#5 /var/www/html/wp-content/plugins/geo-my-wp/plugins/posts-locator/includes/class-gmw-wp-query.php(96): WP_Query->__construct()
#6 /var/www/html/wp-content/plugins/geo-my-wp/plugins/posts-locator/includes/class-gmw-posts-locator-form.php(122): GMW_WP_Query->__construct()
#7 /var/www/html/wp-content/plugins/geo-my-wp/includes/class-gmw-form-core.php(1004): GMW_Posts_Locator_Form->parse_search_query()
#8 /var/www/html/wp-content/plugins/geo-my-wp/includes/class-gmw-form.php(190): GMW_Form_Core->search_query()
#9 /var/www/html/wp-content/plugins/geo-my-wp/includes/class-gmw-form.php(443): GMW_Form->pre_search_query()
#10 /var/www/html/wp-content/plugins/geo-my-wp/includes/gmw-shortcodes.php(167): GMW_Form->output()
#11 /var/www/html/wp-includes/shortcodes.php(434): gmw_shortcode()
#12 [internal function]: do_shortcode_tag()
#13 /var/www/html/wp-includes/shortcodes.php(273): preg_replace_callback()
#14 /var/www/html/wp-includes/class-wp-hook.php(324): do_shortcode()
#15 /var/www/html/wp-includes/plugin.php(205): WP_Hook->apply_filters()
#16 /var/www/html/wp-includes/post-template.php(256): apply_filters()
#17 /var/www/html/wp-content/themes/theme/page-events.php(79): the_content()
#18 /var/www/html/wp-includes/template-loader.php(106): include('...')
#19 /var/www/html/wp-blog-header.php(19): require_once('...')
#20 /var/www/html/index.php(17): require('...')
#21 {main}
  thrown in /var/www/html/wp-content/plugins/geo-my-wp/plugins/posts-locator/includes/class-gmw-wp-query.php on line 309

We can reproduce this using

curl -v "http://localhost/find-events/?lat=Fxnu&lng=UfcS&form=5&action=fs"

I believe this can probably be avoided by forcing the value to be a float prior to use

--- plugins/posts-locator/includes/class-gmw-wp-query.php.dist	2025-08-29 09:46:00.000000000 +0000
+++ plugins/posts-locator/includes/class-gmw-wp-query.php	2025-09-15 10:22:43.663664996 +0000
@@ -296,8 +296,8 @@
 
 			// since these values are repeatable, we escape them previous
 			// the query instead of running multiple prepares.
-			$lat          = esc_sql( $args['gmw_lat'] );
-			$lng          = esc_sql( $args['gmw_lng'] );
+			$lat          = (float) esc_sql( $args['gmw_lat'] );
+			$lng          = (float) esc_sql( $args['gmw_lng'] );
 			$distance     = ! empty( $args['gmw_radius'] ) ? esc_sql( $args['gmw_radius'] ) : '';
 			$distance_sql = "ROUND( {$earth_radius} * acos( cos( radians( {$lat} ) ) * cos( radians( gmw_locations.latitude ) ) * cos( radians( gmw_locations.longitude ) - radians( {$lng} ) ) + sin( radians( {$lat} ) ) * sin( radians( gmw_locations.latitude ) ) ),1 ) AS distance";
 

• This topic was modified 8 months, 3 weeks ago by leedxw.