CVE-2026-57771

Milan Petrovic · GD Rating System

The Milan Petrovic GD Rating System plugin for WordPress is susceptible to Blind SQL Injection due to improper input sanitization.

Executive summary

A Blind SQL Injection vulnerability in the Milan Petrovic GD Rating System plugin allows authenticated attackers to potentially compromise database information.

Vulnerability

The plugin contains a Blind SQL Injection (CWE-89) vulnerability, allowing an authenticated attacker to execute arbitrary SQL queries against the database. The flaw requires low-level privileges (PR:L) to perform the attack.

Business impact

This high-severity vulnerability (CVSS 8.5) risks significant data leakage and unauthorized database access. If exploited, an attacker could potentially view sensitive user data or system configuration details, impacting the overall security posture and compliance status of the affected WordPress environment.

Remediation

Immediate Action: As no patch is currently available, administrators should evaluate the necessity of the plugin and consider deactivating it until a fix is released.

Proactive Monitoring: Audit database logs for unusual query activity originating from authenticated user accounts.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter incoming requests and block suspicious SQL syntax directed at the plugin’s endpoints.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the lack of a current patch, the most effective mitigation is to deactivate the GD Rating System plugin. Security teams should monitor the vendor’s security advisory page closely for the release of a patched version (3.7.1 or higher) before re-enabling the functionality.