CVE-2026-9065 | THREATINT

Description

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.

PUBLISHED Reserved 2026-05-20 | Published 2026-05-20 | Updated 2026-05-20 | Assigner tenable

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Problem types

CWE-89 Improper neutralization of special elements used in an SQL command ('SQL injection')

Product status

Default status

unaffected

O (custom) before 4.2.1

affected

References

www.tenable.com/security/research/tra-2026-43

cve.org (CVE-2026-9065)

nvd.nist.gov (CVE-2026-9065)

Download JSON