Vulnerabilities and security researches forsurecart surecart

May 22, 2026

CVE, Research URL: CVE-2026-9065
Home page URL: Security reports for WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Application: WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Date: May 20, 2026
Research Description: SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.
Affected versions: max 4.2.1.
Status: vulnerable

Apr 13, 2026

CVE, Research URL: CVE-2026-39488
Home page URL: Security reports for WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Application: WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Date: Apr 08, 2026
Research Description: Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2.
Affected versions: max 4.0.3.
Status: vulnerable

Sep 01, 2024

CVE, Research URL: CVE-2024-43970
Home page URL: Security reports for WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Application: WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Date: Sep 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SureCart allows Reflected XSS.This issue affects SureCart: from n/a through 2.29.3.
Affected versions: max 2.29.4.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2023-41241
Home page URL: Security reports for WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Application: WordPress Ecommerce For Creating Fast Online Stores – By SureCart
Date: Sep 27, 2023
Research Description: Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in SureCart WordPress Ecommerce For Creating Fast Online Stores plugin <= 2.5.0 versions.
Affected versions: max 2.5.1.
Status: vulnerable