Description
Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.
Published: 2026-06-15
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The GD Rating System plugin for WordPress, versions up to 3.6.2, contains an unauthenticated SQL Injection flaw that allows an attacker who does not need to be logged in to supply specially crafted input to the plugin’s rating interface. The vulnerability can be leveraged to read, modify, or delete data stored in the WordPress database, thereby compromising site integrity and confidentiality. The known CWE for this issue is CWE-89, indicating a classic injection flaw where unchecked input reaches a database query.

Affected Systems

The affected system is the Dev4Press GD Rating System plugin for WordPress. All installations using version 3.6.2 or earlier are vulnerable, while newer releases mitigate the flaw.

Risk and Exploitability

The CVSS score of 9.3 classifies the vulnerability as critically high, and the EPSS score of less than 1 percent indicates a low exploitation probability at the time of this analysis. Because the vulnerability does not require authentication, any WordPress site that installs the GD Rating System can be targeted remotely. The fact that this vulnerability is not listed in the CISA KEV catalog suggests there are no confirmed exploits yet, but the high severity and wide deployment of the plugin necessitate immediate action.

Generated by OpenCVE AI on June 16, 2026 at 21:49 UTC.

Remediation

Vendor Solution

Update the WordPress GD Rating System Plugin to the latest available version (at least 3.7).

OpenCVE Recommended Actions

  • Apply the latest GD Rating System plugin (version 3.7 or later) from the official WordPress repository.
  • Dispose of any residual instances of the plugin by deactivating and deleting them to prevent accidental re‑infection.
  • Backup the database and site files before applying the update to preserve data and restore the site if needed.

Generated by OpenCVE AI on June 16, 2026 at 21:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Dev4press
Dev4press gd Rating System
Wordpress
Wordpress wordpress
Vendors & Products Dev4press
Dev4press gd Rating System
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.
Title WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Dev4press Gd Rating System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:27:17.407Z

Reserved: 2026-04-29T09:04:31.203Z

Link: CVE-2026-42639

cve-icon Vulnrichment

Updated: 2026-06-16T01:27:12.298Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:54.477

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-42639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:13Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')