Surecart - SQL Injection - Research Advisory

Synopsis

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'.

The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.

Solution

Upgrade to Surecart version 4.2.1 or later.

Additional References

https://wordpress.org/plugins/surecart

Disclosure Timeline

April 08, 2026 - Report submitted on Patchstack

April 13, 2026 - PatchStack say the report is out of scope due to a privilege requirement

April 20, 2026 - Send a contact request to Brainstorm Force

April 21, 2026 - Tenable sends details to the vendor

April 27, 2026 - Fixed in version 4.2.1

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2026-9065

Tenable Advisory ID: TRA-2026-43

Credit:
Joshua Martinelle

CVSSv3 Base / Temporal Score:
6.5

CVSSv3 Vector:
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVSSv4 Base Score:
9.3

CVSSv4 Vector:
AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Affected Products:
Surecart

Risk Factor:
Medium

Explore By Use Case

Explore By Industry

Tenable is the one clear leader in Exposure Management

Exposure management resource center

Accelerate your exposure management strategy with practical resources and tools.

Surecart - SQL Injection

Synopsis

Solution

Additional References

Disclosure Timeline

Request a demo

Thank You

Request a demo

Thank You

Request a demo

Thank You

Request a demo

Thank You

Request a demo

Thank You

Request a demo

Thank You

Request a demo

Thank You

Request a demo

Thank You

Request a demo

Thank You

See Tenable in action

Thank you for subscribing!

Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements

Thank You

Cybersecurity news you can use

Thank you for subscribing!

Try for free

Tenable Vulnerability Management

Buy now

Tenable Vulnerability Management

100

Thank You

Try for free

Try Tenable Web App Scanning

Buy now

Buy Tenable Web App Scanning

5

$3,578

Thank You

Try for free

Try Tenable Nessus Professional free

Buy now

Buy Tenable Nessus Professional

Try for free

Try Tenable Nessus Expert free

Buy now

Buy Nessus Expert

Advanced Support Plan Features

Phone Support

Chat Support

Tenable Community Support Portal

Initial Response Time

Support Contacts

Exposure management
resource center