Skip to main content

WP EasyCart EUVDEUVD-2026-41320

| CVE-2026-57765 HIGH
SQL Injection (CWE-89)
2026-07-02 Patchstack GHSA-5rmv-7mhc-rw9q
8.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable low-complexity SQLi needs a Contributor account (PR:L); DB read across shared WordPress tables justifies S:C and C:H, with no integrity and only low availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:20 vuln.today

DescriptionCVE.org

Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.

AnalysisAI

SQL injection in the WP EasyCart WordPress e-commerce plugin (all versions up to and including 5.9.0) lets a low-privileged authenticated user with Contributor role inject arbitrary SQL into backend queries. Reported by Patchstack and rated CVSS 8.5, the flaw allows attackers to read sensitive database contents such as customer records, order data, and WordPress user credential hashes. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level account
Delivery
Reach vulnerable WP EasyCart endpoint
Exploit
Submit crafted SQL injection input
Execution
Query executes against WordPress database
Impact
Exfiltrate customer data and credential hashes

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress account at the Contributor role or higher on a site running WP EasyCart version 5.9.0 or earlier (per CVSS PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L indicates network-reachable, low-complexity exploitation requiring low privileges (an authenticated Contributor account) and no user interaction, with a scope change and high confidentiality impact but no integrity impact and only low availability impact - consistent with a data-read SQLi rather than full RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a Contributor-level account on a WordPress site running WP EasyCart 5.9.0 or earlier, then submits crafted input to a vulnerable plugin parameter that is concatenated into a SQL query. Because the vector is network-based with low complexity and no user interaction, the attacker exfiltrates customer PII, order details, or password hashes from the shared WordPress database in a single authenticated session. …
Remediation Upgrade WP EasyCart to a release later than 5.9.0 once confirmed via the vendor/Patchstack advisory (https://patchstack.com/database/wordpress/plugin/wp-easycart/vulnerability/wordpress-wp-easycart-plugin-5-9-0-sql-injection-vulnerability); no vendor-released patch version was identified in the provided data, so verify the fixed version on that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for WP EasyCart ≤v5.9.0; immediately revoke or restrict Contributor role permissions to only trusted administrators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2014-9308 MEDIUM POC
6.5 Jan 15

Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka Wor

CVE-2015-2673 HIGH POC
8.8 Oct 06

The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyC

CVE-2023-1124 HIGH POC
7.2 Apr 03

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticate

CVE-2014-4942 MEDIUM POC
5.0 Jul 11

The EasyCart (wp-easycart) plugin before 2.0.6 for WordPress allows remote attackers to obtain configuration information

CVE-2026-32422 HIGH
8.5 Mar 13

WP EasyCart versions 5.8.13 and earlier are vulnerable to blind SQL injection, allowing authenticated attackers to execu

CVE-2023-3023 HIGH
7.2 Jul 12

The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in versions u

CVE-2023-2891 MEDIUM
6.5 Jun 09

The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8

CVE-2023-2892 MEDIUM
6.5 Jun 09

The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8

CVE-2023-2894 MEDIUM
4.3 Jun 09

The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8

CVE-2023-2896 MEDIUM
4.3 Jun 09

The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8

CVE-2023-2895 MEDIUM
4.3 Jun 09

The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8

CVE-2023-2893 MEDIUM
4.3 Jun 09

The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8

Share

EUVD-2026-41320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy