The Rankie plugin for WordPress has an SQL Injection flaw that arises from improper neutralization of special elements in SQL commands. An attacker can supply malicious input that is incorporated directly into a database query, allowing the execution of arbitrary SQL statements. This can lead to data exfiltration, modification or deletion, and potentially escalation of privileges if the database user has higher rights. The weakness is a classic CWE‑89 SQL Injection.

Any WordPress installation using the Rankie plugin version earlier than 1.8.2 is affected. The plugin, developed by ValvePress, is distributed under the name "ValvePress Rankie". Users of Rankie 1.8.1 or older must be aware that the vulnerability exists across all prior releases.

The vulnerability scores 8.5 on the CVSSv3.0 scale, indicating high severity. The EPSS score is below 1 %, suggesting a low current exploitation probability, and it is not listed in the CISA KEV catalog. Despite the low EPSS, the attack can be carried out remotely by submitting crafted requests through the plugin’s input interface, which is reachable from any user who can interact with the WordPress site. Because the flaw allows the manipulation of database statements, it is likely exploitable without additional prerequisites beyond access to the plugin’s input points.