cleantalk
Vulnerabilities and Security Researches

WordPress Ecommerce For Creating Fast Online Stores – By SureCart, CVE-2026-9065

CVE, Research URL

CVE-2026-9065

Home page URL

Security reports for WordPress Ecommerce For Creating Fast Online Stores – By SureCart

Application

WordPress Ecommerce For Creating Fast Online Stores – By SureCart

Published on
May 20, 2026
Research Description
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.
Affected versions
max 4.2.1.
Status
vulnerable
Previous vulnerability researches
Giveaway Boost (CVE-2024-49332) , Oct 20, 2024
New vulnerability
WordPress Online Booking and Scheduling Plugin – Bookly (CVE-2026-42667) , May 22, 2026
Email Encoder – Protect Email Addresses and Phone Numbers (CVE-2026-5776) , May 22, 2026
GeoDirectory – WordPress Business Directory Plugin, or Classified Directory (CVE-2026-42671) , May 22, 2026
Widget Context (CVE-2026-7615) , May 22, 2026
Classified Listing – Classified ads & Business Directory Plugin (CVE-2026-42679) , May 22, 2026