CVE-2026-57765 HIGH

CVE-2026-57765: WordPress WP EasyCart plugin <= 5.9.0 - SQL Injection vulnerability

Vendor Levelfourdevelopment
Product WP EasyCart
Weakness CWE-89 · SQLi
Published July 2, 2026
Last update July 2, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.

Explanation of Vulnerability in Simple Terms

02Summary

WP EasyCart versions up to 5.9.0 contain a SQL injection vulnerability in a network-accessible function that requires low-level authentication. An attacker with a user account can craft malicious input to read sensitive database records, including customer data and site configuration. The vulnerability also allows limited disruption of site availability.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the site's database, including customer information and configuration details.

Potential impact on your site

04Site Impact

Customer data, payment records, and site configuration may be exposed to authenticated attackers; site availability may be degraded.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account (e.g., customer or subscriber role) on the site.

Key dates

06Disclosure timeline

July 2, 2026 CVE published