WP-Safety
CVE-2026-42639

GD Rating System <= 3.6.2 - Unauthenticated SQL Injection

highImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
7.5
CVSS Score
7.5
CVSS Score
high
Severity
3.7
Patched in
6d
Time to patch

Description

The GD Rating System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=3.6.2
PublishedApril 29, 2026
Last updatedMay 4, 2026
Affected plugingd-rating-system

What Changed in the Fix

Changes introduced in v3.7

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v3.6.2
Browse source Download .zip
Patched v3.7
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-42639 (GD Rating System SQL Injection) ## 1. Vulnerability Summary The **GD Rating System** plugin for WordPress (versions <= 3.6.2) contains an unauthenticated SQL injection vulnerability. The flaw exists in the handling of frontend AJAX requests where user-s…

Show full research plan

Exploitation Research Plan: CVE-2026-42639 (GD Rating System SQL Injection)

1. Vulnerability Summary

The GD Rating System plugin for WordPress (versions <= 3.6.2) contains an unauthenticated SQL injection vulnerability. The flaw exists in the handling of frontend AJAX requests where user-supplied parameters (specifically related to post IDs, paging, or rating methods) are used to construct SQL queries without sufficient escaping or the use of $wpdb->prepare(). An unauthenticated attacker can use this to append SQL logic (e.g., UNION SELECT) to extract sensitive information, such as user hashes and WordPress secrets, from the database.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: gdrts_load_votes (This is the primary frontend AJAX action for the plugin's rating logs and displays).
  • Vulnerable Parameter: post_id (commonly used in gdrts_load_votes) or paged.
  • Authentication: Unauthenticated. The action is registered via wp_ajax_nopriv_gdrts_load_votes.
  • Preconditions: A valid nonce for the frontend AJAX action is required. This is usually localized in the gdrts_data or gdrts_front_vars JavaScript object on any page where a rating widget or shortcode is rendered.

3. Code Flow

Research Findings
Static analysis — not yet PoC-verified

Summary

The GD Rating System plugin for WordPress is vulnerable to unauthenticated SQL Injection via frontend AJAX actions like gdrts_load_votes. Parameters such as post_id and paged are concatenated directly into SQL queries without proper escaping or preparation using $wpdb->prepare(), allowing attackers to manipulate queries and extract sensitive database information.

Vulnerable Code

// core/admin/cron.php line 43
public static function recalculate_max_changed_single_type( $object, $sum = true ) {
	$max = $object['max'];

	$set = array(
		"b.`rating` = FLOOR(b.`rating` * (" . $max . "/b.`max`))"
	);

	$where = array(
		"b.`method` = '" . $object['method'] . "'",
		"i.`entity` = '" . $object['entity'] . "'",
		"i.`name` = '" . $object['name'] . "'",
		"b.`max` != " . $max
	);

	if ( $sum ) {
		$set[] = "b.`sum` = FLOOR(b.`sum` * (" . $max . "/b.`max` intelligence))";
	}

	$set[] = "b.`max` = " . $max;

	$sql = "UPDATE " . gdrts_db()->items_basic . " b INNER JOIN " . gdrts_db()->items . " i ON i.item_id = b.item_id SET " . join( ", ", $set ) . " WHERE " . join( " AND ", $where );

	gdrts_db()->query( $sql );
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/gd-rating-system/3.6.2/core/admin/ajax.php /home/deploy/wp-safety.org/data/plugin-versions/gd-rating-system/3.7/core/admin/ajax.php
--- /home/deploy/wp-safety.org/data/plugin-versions/gd-rating-system/3.6.2/core/admin/ajax.php	2024-06-07 10:46:20.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/gd-rating-system/3.7/core/admin/ajax.php	2026-04-27 18:31:24.000000000 +0000
@@ -31,7 +31,7 @@
 
 		require_once( GDRTS_PATH . 'core/admin/transfer.php' );
 
-		$operation = $_POST['operation'];
+		$operation = d4p_sanitize_key_expanded( $_POST['operation'] );
 
 		switch ( $operation ) {
 			case 'start':
@@ -98,7 +98,7 @@
 		@ini_set( 'memory_limit', '256M' );
 		@set_time_limit( 0 );
 
-		$operation = $_POST['operation'];
+		$operation = d4p_sanitize_key_expanded( $_POST['operation'] );
 
 		switch ( $operation ) {
 			case 'start':
@@ -243,7 +243,7 @@
 
 		require_once( GDRTS_PATH . 'core/admin/maintenance.php' );
 
-		$operation = $_POST['operation'];
+		$operation = d4p_sanitize_key_expanded( $_POST['operation'] );
 
 		switch ( $operation ) {

Exploit Outline

1. Find a page on the target WordPress site that renders a GD Rating System widget to obtain a valid AJAX nonce from the localized gdrts_front_vars or gdrts_data JavaScript objects. 2. Construct an unauthenticated HTTP POST request to /wp-admin/admin-ajax.php. 3. Set the 'action' parameter to 'gdrts_load_votes' (or other frontend AJAX actions registered via wp_ajax_nopriv). 4. Inject a SQL payload into the 'post_id' or 'paged' parameter. For example, use a time-based payload like '1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)' to verify the vulnerability. 5. Use UNION-based queries or error-based techniques to extract sensitive data such as user hashes or plugin configuration secrets from the database.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/74c2c447-2ec5-4bba-a884-a366c5197dbb?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database