cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forsurecart surecart

Direction: ascending
Jun 06, 2024

WordPress Ecommerce For Creating Fast Online Stores – By SureCart # CVE-2023-41241

CVE, Research URL

CVE-2023-41241

Home page URL

Security reports for WordPress Ecommerce For Creating Fast Online Stores – By SureCart

Application

WordPress Ecommerce For Creating Fast Online Stores – By SureCart

Date
Sep 27, 2023
Research Description
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SureCart WordPress Ecommerce For Creating Fast Online Stores plugin <= 2.5.0 versions.
Affected versions
max 2.5.1.
Status
vulnerable
Sep 01, 2024

WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart # CVE-2024-43970

CVE, Research URL

CVE-2024-43970

Home page URL

Security reports for WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart

Application

WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart

Date
Sep 18, 2024
Research Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SureCart allows Reflected XSS.This issue affects SureCart: from n/a through 2.29.3.
Affected versions
max 2.29.4.
Status
vulnerable
Apr 13, 2026

WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart # CVE-2026-39488

CVE, Research URL

CVE-2026-39488

Home page URL

Security reports for WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart

Application

WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart

Date
Apr 08, 2026
Research Description
Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2.
Affected versions
max 4.0.3.
Status
vulnerable
May 22, 2026

WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart # CVE-2026-9065

CVE, Research URL

CVE-2026-9065

Home page URL

Security reports for WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart

Application

WordPress Ecommerce For Creating Fast Online Stores &#8211; By SureCart

Date
May 20, 2026
Research Description
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.
Affected versions
max 4.2.1.
Status
vulnerable