{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32422", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:26.570Z", "datePublished": "2026-03-13T11:42:16.471Z", "dateUpdated": "2026-04-29T09:51:59.010Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wp-easycart", "product": "WP EasyCart", "vendor": "levelfourdevelopment", "versions": [{"changes": [{"at": "5.8.14", "status": "unaffected"}], "lessThanOrEqual": "5.8.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:15.249Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.<p>This issue affects WP EasyCart: from n/a through <= 5.8.13.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP EasyCart: from n/a through <= 5.8.13."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.010Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wp-easycart/vulnerability/wordpress-wp-easycart-plugin-5-8-13-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress WP EasyCart plugin <= 5.8.13 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T18:05:43.292112Z", "id": "CVE-2026-32422", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:06:07.361Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32422", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T18:05:43.292112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T18:04:53.099Z"}}], "cna": {"title": "WordPress WP EasyCart plugin <= 5.8.13 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "affected": [{"vendor": "levelfourdevelopment", "product": "WP EasyCart", "versions": [{"status": "affected", "changes": [{"at": "5.8.14", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.8.13"}], "packageName": "wp-easycart", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:06:15.249Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wp-easycart/vulnerability/wordpress-wp-easycart-plugin-5-8-13-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP EasyCart: from n/a through <= 5.8.13.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.<p>This issue affects WP EasyCart: from n/a through <= 5.8.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:16:14.074Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32422", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:16:14.074Z", "dateReserved": "2026-03-12T11:11:26.570Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:16.471Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP EasyCart: from n/a through <= 5.8.13."}, {"lang": "es", "value": "Neutralizaci\u00f3n Incorrecta de Elementos Especiales utilizados en un Comando SQL ('Inyecci\u00f3n SQL') vulnerabilidad en levelfourdevelopment WP EasyCart wp-easycart permite Inyecci\u00f3n SQL Ciega. Este problema afecta a WP EasyCart: desde n/a hasta &lt;= 5.8.13."}], "id": "CVE-2026-32422", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:00.090", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wp-easycart/vulnerability/wordpress-wp-easycart-plugin-5-8-13-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.8.13]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[5.8.14,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WP EasyCart", "source": "cna", "vendor": "levelfourdevelopment"}, "product": "wp-easycart", "vendor": "levelfourdevelopment"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:18:38.029162+00:00", "value": {"mitigation_remediation": ["Upgrade WP EasyCart to a version newer than 5.8.13 if available.", "Deactivate or uninstall the WP EasyCart plugin if no patch exists.", "If the plugin is required, apply input validation or a web application firewall rule to block SQL injection patterns targeting the plugin\u2019s endpoints.", "Monitor your site for suspicious database activity and review logs for unauthorized queries."], "summary": {"action": "Patch Now", "impact": "SQL Injection (Data Compromise)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the levelfourdevelopment WP EasyCart plugin on WordPress sites. All releases from n/a through version 5.8.13 are impacted, so any installation using WP EasyCart 5.8.13 or earlier is at risk.", "description_and_impact": "This vulnerability is a blind SQL Injection in the WP EasyCart plugin due to improper neutralization of special elements in an SQL command. Attackers can insert crafted input that is executed by the database without error feedback, allowing them to read, modify, or delete data in the WordPress database, potentially leading to site compromise or data exfiltration.", "risk_and_exploitability": "The CVSS score of 8.5 indicates high severity. The EPSS score of less than 1% suggests the probability of exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is via web requests to the plugin\u2019s input fields, where attackers can supply malicious payloads that are executed by the database in a blind manner. Successful exploitation would enable data access or modification."}}}}, "created": "2026-03-16T09:33:50.199684+00:00", "updated": "2026-03-23T12:03:42.166346+00:00", "vendors": ["levelfourdevelopment", "levelfourdevelopment$PRODUCT$wp-easycart", "wordpress", "wordpress$PRODUCT$wordpress"]}