External risk intelligence

GD Rating System SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-42639

An unauthenticated SQL injection vulnerability exists in a WordPress rating system plugin. If reachable, this could allow unauthorized access to or modification of rating data, impacting data integrity and potentially leading to unauthorized access. The vulnerability is network-exploitable and not yet listed in known e

4Halo Surface Signal

SQL Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-42639

The vulnerability affects a WordPress plugin, which is designed to be installed on web-accessible sites. As a rating system, it is intended to be interacted with by public visitors to the website, making the vulnerable component commonly reachable from the internet in standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-42639

Yes

CVE-2026-42639 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This unauthenticated SQL injection vulnerability affects systems processing or storing sensitive data, making it relevant to PCI DSS. PCI DSS Requirement 6.5.1 specifically mandates protection against injection flaws, including SQL injection.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Horizon Alert

Summary of the vulnerability and why it matters

This CVE involves an unauthenticated SQL injection vulnerability in a WordPress plugin that affects how user ratings are managed. At a high level, this could allow unauthorized access to or manipulation of rating data, depending on the plugin's specific implementation and the data it handles. The main concern is confirming relevance and exposure for any deployed instances.

  • Unauthenticated code injection in a rating system.
  • Matters for data integrity and unauthorized access.
  • Confirm relevance and exposure to rating data.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this SQL injection vulnerability by sending specially crafted requests to the affected system. Because the vulnerability is in a rating system plugin for WordPress, it is likely exposed to the internet and accessible by anyone. Successful exploitation could lead to unauthorized access to or modification of the database.

  • No authentication required.
  • Triggered via crafted network requests.
  • Potential for unauthorized data access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject SQL commands into the GD Rating System when it is deployed and configured in a specific manner. This could potentially lead to unauthorized access or modification of the rating system's data.

  • Rating system data could be exposed.
  • SQL injection via unauthenticated requests.
  • Unauthorized data access or modification.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in the GD Rating System plugin likely falls under the responsibility of the application owner or the team managing WordPress instances. The first practical step is to identify all sites using this plugin, determine their exposure and criticality, and then coordinate with the responsible owner to plan remediation.

  • Application owners should prioritize this.
  • Verify plugin usage and exposure.
  • Plan remediation during maintenance.

Frequently asked questions

What is the GD Rating System?

GD Rating System is a plugin for WordPress, a popular platform used to build and manage websites. It provides the functionality for site visitors to leave ratings or feedback on content. Because it is a plugin, it integrates directly into the website's database to store these user-submitted scores and preferences.

What is the nature of the CVE-2026-42639 vulnerability?

This vulnerability is classified as an SQL Injection (CWE-89). It occurs when a program improperly handles user-provided data, allowing an attacker to insert malicious database commands. In this case, the plugin fails to properly sanitize input, which may allow unauthorized parties to interact with the underlying database without needing an account.

How can an attacker trigger this SQL injection?

An attacker triggers this flaw by sending specially crafted network requests to the website hosting the plugin. Since the vulnerability is unauthenticated, no login or administrative credentials are required to initiate the attack. However, the flaw requires the plugin to be actively processing rating-related data; static or disabled components are generally not the focus of this specific vulnerability path.

Is my website at risk from this vulnerability?

According to Halo Surface Signal, this vulnerability is likely to affect many users because the plugin is designed for public interaction on web-accessible sites. If your WordPress site uses GD Rating System versions 3.6.2 or earlier, your instance is likely reachable from the internet, increasing the relevance of this issue to your environment.

What should I do if I use this plugin?

Start by performing an inventory of your WordPress installations to identify where GD Rating System is currently active. Once identified, evaluate the criticality of those sites and the data they handle. Coordinate with your team to plan for updates or changes to your site's configuration to mitigate the potential for unauthorized database access while maintaining your site's functionality.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished