Description
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'.

The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.
Published: 2026-05-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SureCart versions before 4.2.1 contain an authenticated SQL injection flaw on the REST API endpoint '/surecart/v1/integrations/{id}'. By inserting a dot into payloads such as 'model_name', 'model_id', 'integration_id', or 'provider', the query builder bypasses the normal escaping mechanism, allowing an attacker to inject arbitrary SQL, including UNION statements that can retrieve database contents.

Affected Systems

The affected product is the Surecart e‑commerce plugin from brainstormforce, with all releases prior to version 4.2.1 vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates severe impact. EPSS is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access to the REST API, so a user with sufficient privileges can leverage the flaw to exfiltrate sensitive data.

Generated by OpenCVE AI on May 20, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Surecart to version 4.2.1 or later to fix the SQL injection
  • If a patch cannot be applied immediately, use a web application firewall to block requests to '/surecart/v1/integrations/' that contain a dot in the query parameters
  • Limit REST API access to only authorized users and remove any unused API credentials

Generated by OpenCVE AI on May 20, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Brainstormforce
Brainstormforce surecart
Wordpress
Wordpress wordpress
Vendors & Products Brainstormforce
Brainstormforce surecart
Wordpress
Wordpress wordpress

Wed, 20 May 2026 08:45:00 +0000

Type Values Removed Values Added
Description SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.
Title Surecart - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Brainstormforce Surecart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-05-20T14:19:07.262Z

Reserved: 2026-05-20T08:19:43.782Z

Link: CVE-2026-9065

cve-icon Vulnrichment

Updated: 2026-05-20T14:19:01.428Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T09:16:27.217

Modified: 2026-05-20T14:01:24.027

Link: CVE-2026-9065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:37:50Z

Weaknesses