Description
Advance Gift Shop Pro Script 2.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can submit crafted SQL payloads in the 's' parameter of search requests to extract sensitive database information including version details and other data.
Published: 2026-04-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Patch Now
AI Analysis

Impact

An unauthenticated SQL injection flaw exists in the ‘s’ search parameter of Advance Gift Shop Pro Script 2.0.3. By supplying crafted payloads, attackers can run arbitrary SQL commands against the underlying database, retrieving sensitive data such as user credentials, credit card numbers, or structural information. This flaw aligns with CWE‑89 and violates confidentiality by exposing database contents.

Affected Systems

The affected product is Advance Gift Shop Pro Script from Phpscriptsmall, specifically version 2.0.3. No other versions or versions lists are documented in the CVE record.

Risk and Exploitability

The weakness carries a CVSS score of 8.8, indicating high severity. EPSS information is not provided, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw purely through web requests targeting the search endpoint, requiring no authentication and minimal skill beyond constructing a SQL payload. Given the high score and absence of mitigating controls, the risk remains substantial for sites still running the vulnerable version.

Generated by OpenCVE AI on April 5, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed version of Advance Gift Shop Pro Script.
  • Obtain and deploy the latest version or official security patch from the vendor to eliminate the SQL injection flaw.
  • If an update is unavailable, sanitize or remove the search parameter ‘s’ from public input to prevent injection.
  • Review web application logs for anomalous search activity and block offending IP addresses.

Generated by OpenCVE AI on April 5, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:phpscriptsmall:advance_gift_shop_pro_script:*:*:*:*:*:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpscriptsmall
Phpscriptsmall advance Gift Shop Pro Script
Vendors & Products Phpscriptsmall
Phpscriptsmall advance Gift Shop Pro Script

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Advance Gift Shop Pro Script 2.0.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter. Attackers can submit crafted SQL payloads in the 's' parameter of search requests to extract sensitive database information including version details and other data.
Title Advance Gift Shop Pro Script 2.0.3 SQL Injection via search
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Phpscriptsmall Advance Gift Shop Pro Script
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-06T15:53:28.986Z

Reserved: 2026-04-05T13:31:54.225Z

Link: CVE-2019-25680

cve-icon Vulnrichment

Updated: 2026-04-06T15:48:33.651Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-05T21:16:46.290

Modified: 2026-04-24T15:45:08.020

Link: CVE-2019-25680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:29Z

Weaknesses