CVE-2026-9065

Vulnerability

SureCart versions prior to 4.2.1 are vulnerable to authenticated SQL injection via the model_name, model_id, integration_id, and provider parameters on the REST API endpoint /surecart/v1/integrations/{id}. The root cause is a flawed escaping bypass in the wp-query-builder library: values passed to the where() method are only sanitized via $wpdb->prepare() when they do not contain a dot (.) or the WordPress table prefix (wp_). By including a dot in the payload, an attacker completely bypasses the escaping logic and can inject arbitrary SQL into the WHERE clause [1].

Exploitation

An attacker requires authentication with at least subscriber-level privileges on the WordPress site, as the vulnerable endpoint is accessible only to authenticated users. The attacker crafts a malicious value for any of the affected parameters (model_name, model_id, integration_id, provider) that includes a dot (.) and contains a SQL injection payload. When the request is processed, the flawed sanitization check sees the dot and skips the $wpdb->prepare() call, allowing the raw injected SQL to be executed. No additional user interaction or race condition is needed [1].

Impact

Successful exploitation allows a fully authenticated attacker to perform UNION-based SQL injection, enabling extraction of arbitrary data from the WordPress database, including user credentials, session tokens, and other sensitive information. This can lead to complete compromise of the WordPress site and all associated user accounts [1].

Mitigation

The vulnerability is fixed in SureCart version 4.2.1, released on April 27, 2026. Users must upgrade to 4.2.1 or later immediately. There are no known workarounds for unpatched versions [1].