CVE-2026-42639

Vulnerability

The GD Rating System plugin for WordPress versions 3.6.2 and earlier contains an unauthenticated SQL injection vulnerability [1]. The flaw exists in an input parameter that is not properly sanitized before being used in a database query, allowing an attacker to inject arbitrary SQL commands without any authentication [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to a WordPress site running the vulnerable plugin [1]. No authentication or prior access is required, and the attack can be performed remotely over the network [1]. The vulnerability is known to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an attacker to directly interact with the underlying database [1]. This can lead to unauthorized access to sensitive data, such as user credentials and site information, as well as potential data corruption or deletion [1]. The CVSS score of 9.3 reflects the critical severity of this vulnerability [1].

Mitigation

The vulnerability is fixed in version 3.7 of the GD Rating System plugin [1]. Users are strongly advised to update immediately to the latest version [1]. For those using Patchstack, a mitigation rule is available to block attacks until the update is applied [1]. No other workarounds have been provided, and given the active exploitation risk, updating is the recommended action [1].