CVE-2026-9065
CriticalSummary
SureCart versions prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters on the REST API endpoint '/surecart/v1/integrations/{id}'. The issue stems from a flawed escaping bypass in the query builder.
Risk Assessment
An attacker can exploit this vulnerability to inject arbitrary SQL, allowing full extraction of data from the database. This poses a serious threat to the integrity and confidentiality of the organization's data.
Recommendation
It is recommended to update SureCart to version 4.2.1 or later to mitigate this vulnerability. Additionally, conducting a security audit of the application to identify other potential vulnerabilities is advisable.
Original NVD description (English source)
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.

