How is CVE-2026-42639 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to send a malicious request. Authentication (not-required): No account or session credential of any kind is needed; the injection point is accessible to any anonymous HTTP client. Victim interaction (not-required): The attacker sends requests directly to the server; no user action such as clicking a link or visiting a page is required. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or knowledge of environmental factors.

What is the impact of CVE-2026-42639?

Reads arbitrary database rows, including WordPress user credentials (hashed passwords), email addresses, session tokens, and any data stored by other plugins or themes. The scope impact is changed (S:C), meaning data readable via the injection is not limited to the plugin's own tables but can span the entire database the WordPress user account has access to. Causes minor degradation of service availability through resource-intensive injected queries, which can slow or intermittently disrupt responses for legitimate users.

Back to search

CRITICALCVE-2026-42639Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-42639: WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability

Q: What is CVE-2026-42639?

An unauthenticated SQL injection vulnerability affects the GD Rating System WordPress plugin at version 3.6.2 and below. The flaw is reachable over the network with no authentication required and no user interaction needed, allowing an attacker to send crafted requests directly to the affected endpoint. Successful exploitation gives an attacker read access to the underlying database contents and causes minor disruption to service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-42639 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Dev4Press ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix becomes available.

Unauthenticated SQL Injection in GD Rating System <= 3.6.2 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the GD Rating System WordPress plugin at version 3.6.2 and below. The flaw is reachable over the network with no authentication required and no user interaction needed, allowing an attacker to send crafted requests directly to the affected endpoint. Successful exploitation gives an attacker read access to the underlying database contents and causes minor disruption to service availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-42639 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the GD Rating System plugin. Any image carrying an affected version of the plugin is flagged automatically during both registry scans and active pipeline runs.

Available

Triage

HarborGuard is capable of scoring this finding at its published CVSS v3.1 severity of 9.3 (Critical) and weighting it against each customer environment's compliance policy to determine priority. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership and policy rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Dev4Press ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream fix becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to send a malicious request.
AuthenticationNot required
No account or session credential of any kind is needed; the injection point is accessible to any anonymous HTTP client.
Victim interactionNot required
The attacker sends requests directly to the server; no user action such as clicking a link or visiting a page is required.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or knowledge of environmental factors.

Blast Radius

Reads arbitrary database rows, including WordPress user credentials (hashed passwords), email addresses, session tokens, and any data stored by other plugins or themes.
The scope impact is changed (S:C), meaning data readable via the injection is not limited to the plugin's own tables but can span the entire database the WordPress user account has access to.
Causes minor degradation of service availability through resource-intensive injected queries, which can slow or intermittently disrupt responses for legitimate users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-42639 at this time, the platform monitors the Dev4Press advisory on every ingest cycle and will trigger a patched-image rebuild the moment a fixed version is published. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against any affected workloads, with no manual steps required. While no patch is available, compensating controls worth considering include network-policy rules that restrict public internet access to the WordPress installation, web application firewall rules targeting SQL injection patterns on the affected plugin's request paths, and disabling the GD Rating System plugin entirely where the feature is non-essential. HarborGuard will surface the patched rebuild and update the finding status automatically once the upstream fix is published.

See how HarborGuard automates this

Affected packages

Dev4Press / GD Rating System
≤ 3.6.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified