SureCart SQL Injection Vulnerability

A SQL injection vulnerability has been identified in SureCart versions prior to 4.2.1. This vulnerability allows authenticated users to exploit multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The issue arises from a flaw in the query builder that improperly handles escaping. Values sent to the 'where()' method are only sanitized using '$wpdb->prepare()' if they do not contain a dot or the WordPress table prefix. By inserting a dot into the payload, an attacker can bypass the escaping mechanism entirely, injecting arbitrary SQL into the 'WHERE' clause. This exploitation enables full UNION-based extraction of the database.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, with the potential for arbitrary SQL execution and database manipulation, including data extraction via UNION-based techniques.

Remediation

Users are advised to upgrade to SureCart version 4.2.1 or later.