Description
Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.
Published: 2026-07-02
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in WP EasyCart allows an attacker to inject arbitrary SQL commands through the contributor input fields. This flaw is a classic SQL Injection (CWE‑89) that can lead to unauthorized reading, modification, or deletion of database records. The impact can manifest as data theft, manipulation of order information, user data corruption, or escalation of privileges through malicious queries.

Affected Systems

Vendors affected include Levelfourdevelopment WP EasyCart. All plugin versions up to and including 5.9.0 are vulnerable; versions 5.9.1 and later are not reported as compromised.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity, and although EPSS data is unavailable, the lack of a KEV listing does not preclude exploitation. The likely attack vector is the web interface, specifically requests containing contributor data that is not properly sanitized. Exploitation requires that the attacker can supply input through a contributor-enabled context; the vulnerability is exploitable when authenticated contributor privileges are present. The combination of a high CVSS and a web‑based attack surface suggests that, should an adversary target a site, the risk of an active attack remains significant.

Generated by OpenCVE AI on July 2, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WP EasyCart to the latest available version (>=5.9.1).
  • If the update cannot be performed immediately, disable or remove the contributor feature or revoke contributor role privileges to eliminate the injected entry points.
  • Implement strict input validation and parametric queries for any remaining contributor interface, ensuring that user-supplied data is never concatenated into SQL statements.

Generated by OpenCVE AI on July 2, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Levelfourdevelopment
Levelfourdevelopment wp-easycart
Wordpress
Wordpress wordpress
Vendors & Products Levelfourdevelopment
Levelfourdevelopment wp-easycart
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.
Title WordPress WP EasyCart plugin <= 5.9.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Levelfourdevelopment Wp-easycart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T11:28:02.163Z

Reserved: 2026-06-25T08:04:41.580Z

Link: CVE-2026-57765

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:00:12Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')