Which versions of SureCart are affected by EUVD-2026-31072?

SureCart WordPress plugin versions before 4.2.1 contain a critical SQL injection vulnerability allowing authenticated administrators to extract the complete database, including customer payment…. A patch is available.

SureCart EUVD-2026-31072

Q: What is the CVSS score of EUVD-2026-31072?

EUVD-2026-31072 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

Q: How to fix or mitigate EUVD-2026-31072?

Within 24 hours: Identify all SureCart installations and verify current versions; audit REST API access logs for suspicious queries to the /surecart/v1/integrations/{id} endpoint. Within 7 days: Update all SureCart plugin installations to version 4.2.1 or later. Within 30 days: Review administrative account activity logs during the vulnerability window and reset credentials for high-privileged users.

| CVE-2026-9065 CRITICAL

SQL Injection (CWE-89)

2026-05-20 tenable

GHSA-qp65-j7f9-qv73

WordPress SQLi

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

May 20, 2026 - 09:30 vuln.today

Patch available

May 20, 2026 - 09:01 EUVD

DescriptionNVD

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'.

The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do not contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.

AnalysisAI

{id} REST endpoint. The flaw stems from a sanitization bypass in the wp-query-builder component where payloads containing a dot character skip $wpdb->prepare() escaping entirely, enabling UNION-based data exfiltration. …

RemediationAI

{id} endpoint. Within 7 days: Update all SureCart plugin installations to version 4.2.1 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory