PatchSiren cyber security CVE debrief
CVE-2026-9065 brainstormforce CVE debrief
CVE-2026-9065 is a critical authenticated SQL injection vulnerability affecting SureCart versions prior to 4.2.1. The vulnerability resides in the REST API endpoint `/surecart/v1/integrations/{id}` and can be exploited through multiple parameters: `model_name`, `model_id`, `integration_id`, and `provider`. The root cause is a flawed escaping bypass in the `wp-query-builder` query builder. Values passed to the `where()` method are only sanitized via `$wpdb->prepare()` when they do not contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker can completely bypass the escaping logic and inject arbitrary SQL into the WHERE clause, enabling full UNION-based extraction of the database. The vulnerability was published on 2026-05-20 and carries a CVSS score of 9.3 (Critical).
- Vendor
- brainstormforce
- Product
- Surecart
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators running SureCart e-commerce plugin; security teams managing WordPress installations; developers maintaining custom integrations with SureCart REST APIs; compliance officers responsible for PCI-DSS environments using SureCart for payment processing
Technical summary
The vulnerability exists in SureCart's WordPress plugin (versions < 4.2.1) within the REST API endpoint `/surecart/v1/integrations/{id}`. The `wp-query-builder` component's `where()` method implements conditional sanitization: values are passed through `$wpdb->prepare()` only when they lack dots ('.') or the 'wp_' table prefix. This logic error allows attackers to bypass escaping by including a dot in their payload, resulting in unsanitized SQL concatenation into WHERE clauses. The attack requires authentication but enables complete database compromise via UNION-based extraction. Multiple injection points exist across `model_name`, `model_id`, `integration_id`, and `provider` parameters.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade SureCart to version 4.2.1 or later to remediate the SQL injection vulnerability
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting REST API endpoints with parameters including dots or WordPress table prefixes
- Review and audit all custom integrations using the `/surecart/v1/integrations/{id}` endpoint for signs of compromise
- Apply principle of least privilege to API credentials and restrict access to the integrations endpoint
- Monitor database query logs for anomalous UNION-based queries or unexpected table access patterns
- Conduct security review of custom query builder implementations to ensure proper parameter sanitization regardless of input content
Evidence notes
Vulnerability disclosed via Tenable security research (TRA-2026-43). CWE-89 (SQL Injection) classification confirmed. CVSS 4.0 vector provided in NVD record.
Official resources
-
CVE-2026-9065 CVE record
CVE.org
-
CVE-2026-9065 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Published 2026-05-20