CVE-2026-9065

Description

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters (model_name, model_id, integration_id, provider) on the REST API endpoint /surecart/v1/integrations/{id}. The root cause is a flawed escaping bypass in the query builder (wp-query-builder). Values passed to the where() method are only sanitized via $wpdb->prepare() when they do **not** contain a dot (.) or the WordPress table prefix (wp_). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the WHERE clause, allowing full UNION-based extraction of the database.