CVE-2026-9065
Description
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'.
The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do not contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<4.2.1+ 1 more
- (no CPE)range: <4.2.1
- (no CPE)range: <4.2.1
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.