SureCart SQL Injection Vulnerability Discovered in Version 4.1.0
Severity: Medium (Score: 57.8)
Sources: Tenable
Published: · Updated:
Keywords: surecart, version, prior, vulnerable, authenticated, injection, multiple
Summary
SureCart versions 4.1.0 and earlier are vulnerable to authenticated SQL injection through multiple parameters on the REST API endpoint '/surecart/v1/integrations/{id}'. The vulnerability arises from a flawed escaping bypass in the query builder, allowing attackers to inject arbitrary SQL by including a dot in the payload. This can lead to full UNION-based extraction of the database. Users are advised to upgrade to SureCart version 4.2.1 or later to mitigate the risk. The vulnerability affects any installation of SureCart that has not been updated. Tenable has emphasized the importance of addressing this issue promptly to protect customers. The advisory does not provide a CVE identifier, but it highlights the critical nature of the flaw. Key Points: • SureCart versions 4.1.0 and earlier are vulnerable to SQL injection. • Attackers can exploit the flaw by including a dot in the payload. • Users must upgrade to version 4.2.1 or later to mitigate the risk.
Detailed Analysis
**Impact** Users of SureCart versions 4.1.0 and earlier are affected, with potential exposure across all sectors utilizing this e-commerce plugin. The vulnerability allows authenticated attackers to execute arbitrary SQL queries, risking full database extraction. This could lead to unauthorized access to sensitive customer and transaction data, impacting business operations and data confidentiality. No specific geographic or sectoral data is provided. **Technical Details** The vulnerability is an authenticated SQL injection in the REST API endpoint `/surecart/v1/integrations/{id}`, exploitable via parameters `model_name`, `model_id`, `integration_id`, and `provider`. The root cause is a flawed escaping bypass in the `wp-query-builder` where values containing a dot (`.`) or the WordPress table prefix (`wp_`) bypass `$wpdb->prepare()` sanitization, enabling UNION-based SQL injection. No CVE identifiers or malware/tools are mentioned. The attack occurs during the exploitation phase of the kill chain. No IOCs are provided. **Recommended Response** Upgrade SureCart to version 4.2.1 or later immediately to remediate the vulnerability. Monitor REST API access logs for unusual or unauthorized use of the affected parameters. Harden authentication controls to limit access to the REST API endpoint. No additional detection signatures or IOCs are provided; defenders should focus on patching and monitoring for anomalous SQL activity.
Source articles (2)
- Surecart — Tenable · 2026-05-20
SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/in… - Surecart — Tenable · 2026-05-20
SureCart version 4.1.0 and likely prior versions are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint…
Timeline
- 2026-05-20 — Vulnerability disclosed: Tenable published an advisory detailing an SQL injection vulnerability in SureCart versions 4.1.0 and earlier.
- 2026-05-20 — Upgrade recommended: Tenable advised users to upgrade to SureCart version 4.2.1 or later to address the vulnerability.
Related entities
- Sql Injection (Attack Type)
- Cwe-89 - SQL Injection (Cwe)
- T1190 - Exploit Public-Facing Application (Mitre Attack)
- WordPress (Platform)