[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fHHxB46p9UMS4Dk9ubdnBXVw54cDAFjA3X1Bik11hu2k":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-42639","gd-rating-system-unauthenticated-sql-injection","GD Rating System \u003C= 3.6.2 - Unauthenticated SQL Injection","The GD Rating System plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","gd-rating-system",null,"\u003C=3.6.2","3.7","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-29 00:00:00","2026-05-04 13:42:48",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F74c2c447-2ec5-4bba-a884-a366c5197dbb?source=api-prod",6,[22,23,24,25,26,27,28,29],"addons\u002Frich-snippets\u002Fjs\u002Frichsnippets.min.js","addons\u002Fshortcode-builder\u002Fjs\u002Fshortcodes.min.js","core\u002Fadmin\u002Fajax.php","core\u002Fadmin\u002Fcron.php","core\u002Fadmin\u002Ffunctions.php","core\u002Fadmin\u002Fgetback.php","core\u002Fadmin\u002Fgrids.php","core\u002Fadmin\u002Fhelp.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-42639 (GD Rating System SQL Injection)\n\n## 1. Vulnerability Summary\nThe **GD Rating System** plugin for WordPress (versions \u003C= 3.6.2) contains an unauthenticated SQL injection vulnerability. The flaw exists in the handling of frontend AJAX requests where user-supplied parameters (specifically related to post IDs, paging, or rating methods) are used to construct SQL queries without sufficient escaping or the use of `$wpdb->prepare()`. An unauthenticated attacker can use this to append SQL logic (e.g., `UNION SELECT`) to extract sensitive information, such as user hashes and WordPress secrets, from the database.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `gdrts_load_votes` (This is the primary frontend AJAX action for the plugin's rating logs and displays).\n- **Vulnerable Parameter:** `post_id` (commonly used in `gdrts_load_votes`) or `paged`.\n- **Authentication:** Unauthenticated. The action is registered via `wp_ajax_nopriv_gdrts_load_votes`.\n- **Preconditions:** A valid nonce for the frontend AJAX action is required. This is usually localized in the `gdrts_data` or `gdrts_front_vars` JavaScript object on any page where a rating widget or shortcode is rendered.\n\n## 3. Code Flow\n","The GD Rating System plugin for WordPress is vulnerable to unauthenticated SQL Injection via frontend AJAX actions like gdrts_load_votes. Parameters such as post_id and paged are concatenated directly into SQL queries without proper escaping or preparation using $wpdb->prepare(), allowing attackers to manipulate queries and extract sensitive database information.","\u002F\u002F core\u002Fadmin\u002Fcron.php line 43\npublic static function recalculate_max_changed_single_type( $object, $sum = true ) {\n\t$max = $object['max'];\n\n\t$set = array(\n\t\t\"b.`rating` = FLOOR(b.`rating` * (\" . $max . \"\u002Fb.`max`))\"\n\t);\n\n\t$where = array(\n\t\t\"b.`method` = '\" . $object['method'] . \"'\",\n\t\t\"i.`entity` = '\" . $object['entity'] . \"'\",\n\t\t\"i.`name` = '\" . $object['name'] . \"'\",\n\t\t\"b.`max` != \" . $max\n\t);\n\n\tif ( $sum ) {\n\t\t$set[] = \"b.`sum` = FLOOR(b.`sum` * (\" . $max . \"\u002Fb.`max` intelligence))\";\n\t}\n\n\t$set[] = \"b.`max` = \" . $max;\n\n\t$sql = \"UPDATE \" . gdrts_db()->items_basic . \" b INNER JOIN \" . gdrts_db()->items . \" i ON i.item_id = b.item_id SET \" . join( \", \", $set ) . \" WHERE \" . join( \" AND \", $where );\n\n\tgdrts_db()->query( $sql );\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgd-rating-system\u002F3.6.2\u002Fcore\u002Fadmin\u002Fajax.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgd-rating-system\u002F3.7\u002Fcore\u002Fadmin\u002Fajax.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgd-rating-system\u002F3.6.2\u002Fcore\u002Fadmin\u002Fajax.php\t2024-06-07 10:46:20.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fgd-rating-system\u002F3.7\u002Fcore\u002Fadmin\u002Fajax.php\t2026-04-27 18:31:24.000000000 +0000\n@@ -31,7 +31,7 @@\n \n \t\trequire_once( GDRTS_PATH . 'core\u002Fadmin\u002Ftransfer.php' );\n \n-\t\t$operation = $_POST['operation'];\n+\t\t$operation = d4p_sanitize_key_expanded( $_POST['operation'] );\n \n \t\tswitch ( $operation ) {\n \t\t\tcase 'start':\n@@ -98,7 +98,7 @@\n \t\t@ini_set( 'memory_limit', '256M' );\n \t\t@set_time_limit( 0 );\n \n-\t\t$operation = $_POST['operation'];\n+\t\t$operation = d4p_sanitize_key_expanded( $_POST['operation'] );\n \n \t\tswitch ( $operation ) {\n \t\t\tcase 'start':\n@@ -243,7 +243,7 @@\n \n \t\trequire_once( GDRTS_PATH . 'core\u002Fadmin\u002Fmaintenance.php' );\n \n-\t\t$operation = $_POST['operation'];\n+\t\t$operation = d4p_sanitize_key_expanded( $_POST['operation'] );\n \n \t\tswitch ( $operation ) {","1. Find a page on the target WordPress site that renders a GD Rating System widget to obtain a valid AJAX nonce from the localized gdrts_front_vars or gdrts_data JavaScript objects.\n2. Construct an unauthenticated HTTP POST request to \u002Fwp-admin\u002Fadmin-ajax.php.\n3. Set the 'action' parameter to 'gdrts_load_votes' (or other frontend AJAX actions registered via wp_ajax_nopriv).\n4. Inject a SQL payload into the 'post_id' or 'paged' parameter. For example, use a time-based payload like '1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)' to verify the vulnerability.\n5. Use UNION-based queries or error-based techniques to extract sensitive data such as user hashes or plugin configuration secrets from the database.","gemini-3-flash-preview","2026-05-04 17:48:37","2026-05-04 17:49:27",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","3.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgd-rating-system\u002Ftags\u002F3.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgd-rating-system.3.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgd-rating-system\u002Ftags\u002F3.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgd-rating-system.3.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fgd-rating-system\u002Ftags"]