What the vulnerability does
01Description
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'.
The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.
Explanation of Vulnerability in Simple Terms
02Summary
Surecart versions before 4.2.1 contain a SQL injection vulnerability in a high-privilege context. An authenticated administrator can inject malicious SQL through unvalidated input, potentially reading or modifying the site database. The vulnerability requires administrative access to exploit and does not affect confidentiality of data outside the database scope.
What an attacker can do
03Attacker Capabilities
Read or modify database contents via SQL injection if they have admin-level access.
Potential impact on your site
04Site Impact
A compromised admin account could allow an attacker to extract or alter customer data, payment records, or site configuration stored in the database.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative privileges on the Surecart installation.
Key dates
06Disclosure timeline
May 20, 2026
CVE published
May 20, 2026
Record updated
