Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP EasyCart: from n/a through <= 5.8.13.
AnalysisAI
WP EasyCart versions 5.8.13 and earlier are vulnerable to blind SQL injection, allowing authenticated attackers to execute arbitrary SQL queries through improper input sanitization. This vulnerability could enable attackers to extract or manipulate sensitive database information, though code execution is not possible. No patch is currently available for this high-severity vulnerability (CVSS 8.5).
Technical ContextAI
WP EasyCart is a WordPress e-commerce plugin developed by levelfourdevelopment that enables online store functionality. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89), a classic SQL injection flaw where user-supplied input is not properly sanitized before being incorporated into SQL queries. Blind SQL injection specifically means attackers cannot see query results directly but can infer information through boolean-based or time-based techniques. The affected versions range from the initial release through version 5.8.13, indicating this is a long-standing security issue in the codebase.
RemediationAI
Upgrade WP EasyCart to a version newer than 5.8.13 immediately, as this version range is confirmed vulnerable to SQL injection attacks. If immediate patching is not possible, implement web application firewall (WAF) rules to filter SQL injection attempts, restrict plugin access to trusted administrator accounts only, and monitor database query logs for suspicious activity. Regular security audits of database queries and input validation mechanisms should be conducted, especially for any custom modifications to the plugin.
More in Wp Easycart
View allUnrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka Wor
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyC
The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticate
The EasyCart (wp-easycart) plugin before 2.0.6 for WordPress allows remote attackers to obtain configuration information
SQL injection in the WP EasyCart WordPress e-commerce plugin (all versions up to and including 5.9.0) lets a low-privile
The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in versions u
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11949