Skip to main content

GD Rating System EUVDEUVD-2026-43391

| CVE-2026-57771 HIGH
SQL Injection (CWE-89)
2026-07-13 Patchstack
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network-reachable SQLi needing a low-privilege account (PR:L, AC:L); high confidentiality via data extraction, limited integrity from possible write, and no scope change since impact stays within the database.

3.1 AV:N/AC:L/PR:L/UI:N/S:N/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:36 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 8.5

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Milan Petrovic GD Rating System gd-rating-system allows Blind SQL Injection.This issue affects GD Rating System: from n/a through <= 3.7.

AnalysisAI

Blind SQL injection in the GD Rating System WordPress plugin (versions up to and including 3.7) allows authenticated attackers to inject arbitrary SQL into backend database queries. Because the CVSS vector shows PR:L, a low-privileged authenticated user can extract sensitive database contents (CVSS 8.5, scope-changed). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Send crafted request to rating parameter
Exploit
Inject blind SQL payload
Execution
Infer data via boolean/time responses
Impact
Exfiltrate database contents

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session at low privilege (CVSS PR:L) on a WordPress site running GD Rating System version 3.7 or earlier, and network access to the plugin's vulnerable input (AV:N, AC:L, no user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L) describes a network-reachable, low-complexity attack requiring only low-level authentication and no user interaction, with a scope change and high confidentiality impact - consistent with a real, prioritizable SQL injection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege WordPress account on a site running GD Rating System <= 3.7, then submits a crafted request to a vulnerable plugin parameter that is concatenated into a SQL query. Using time-based or boolean blind techniques, they iteratively extract data such as password hashes, secret keys, or user PII from the database. …
Remediation No vendor-released patch version was identified at time of analysis; the input only confirms all versions up to and including 3.7 are affected. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all WordPress installations using GD Rating System versions 3.7 and below and audit database query logs for suspicious SQL patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2018-5291 HIGH POC
7.5 Jan 08

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the

CVE-2018-5290 HIGH POC
7.5 Jan 08

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the

CVE-2018-5289 HIGH POC
7.5 Jan 08

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the

CVE-2018-5287 HIGH POC
7.5 Jan 08

The GD Rating System plugin 2.3 for WordPress has Directory Traversal in the wp-admin/admin.php panel parameter for the

CVE-2018-5293 MEDIUM POC
6.1 Jan 08

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-syste

CVE-2018-5292 MEDIUM POC
6.1 Jan 08

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-syste

CVE-2018-5288 MEDIUM POC
6.1 Jan 08

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-syste

CVE-2018-5286 MEDIUM POC
6.1 Jan 08

The GD Rating System plugin 2.3 for WordPress has XSS via the wp-admin/admin.php panel parameter for the gd-rating-syste

CVE-2026-42639 CRITICAL
9.3 Jun 15

Unauthenticated SQL injection in the GD Rating System WordPress plugin (versions <= 3.6.2) allows remote attackers to in

CVE-2024-25093 HIGH
7.1 Feb 29

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD

Share

EUVD-2026-43391 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy