SQL Injection Vulnerability in SureCart by SureCart
CVE-2026-9065

9.3CRITICAL

Key Information:

Vendor: WordPress
Status: Surecart
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-9065?

SureCart versions prior to 4.2.1 are susceptible to authenticated SQL injection through multiple parameters, including 'model_name', 'model_id', 'integration_id', and 'provider', on the REST API endpoint '/surecart/v1/integrations/{id}'. The vulnerability stems from improper handling of SQL query parameters within the 'wp-query-builder' query construction process. Specifically, the issue arises when values passed to the 'where()' method do not undergo adequate sanitization if they contain a dot ('.') or the default WordPress table prefix ('wp_'). By exploiting this flaw, an attacker can insert malicious SQL code into the 'WHERE' clause, thereby gaining the ability to retrieve and manipulate sensitive database information using UNION-based queries.

Affected Version(s)

Surecart O < 4.2.1

References

https://www.tenable.com/security/research/tra-2026-43

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-9065 Data

JSON