Description
A flaw has been found in SourceCodester Simple Food Ordering System 1.0. The affected element is an unknown function of the file /cart.php. Executing a manipulation of the argument item_price can lead to business logic errors. The attack may be performed from remote. The exploit has been published and may be used.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an unvalidated argument in cart.php that lets an attacker set the item_price value, causing the system to apply a different price than intended. This business‑logic error can lead to unauthorized discounts or overcharging, impacting the integrity of transaction totals. The vulnerability is identified as CWE‑840.

Affected Systems

The vulnerability exists in SourceCodester Simple Food Ordering System 1.0. No higher or lower versions are listed in the current data. Administrators should verify that they are running this product and evaluate whether the affected code remains in use.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium to high risk. EPSS data is not available, and the vulnerability is not currently listed in CISA’s KEV catalog. The attack can be carried out remotely by manipulating the item_price parameter in a request to cart.php. Published exploit code exists, so an attacker could deploy it without significant additional effort.

Generated by OpenCVE AI on June 29, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SourceCodester Simple Food Ordering System to the latest release or apply the vendor’s official patch once issued.
  • If an update is not immediately available, restrict the item_price parameter to a server‑side computed value: remove any client‑supplied price from the request and calculate the total on the server.
  • Sanitize and validate all price related inputs to ensure they are numeric and within expected ranges, preventing logic bypasses.

Generated by OpenCVE AI on June 29, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Simple Food Ordering System 1.0. The affected element is an unknown function of the file /cart.php. Executing a manipulation of the argument item_price can lead to business logic errors. The attack may be performed from remote. The exploit has been published and may be used.
Title SourceCodester Simple Food Ordering System cart.php logic error
First Time appeared Sourcecodester
Sourcecodester simple Food Ordering System
Weaknesses CWE-840
CPEs cpe:2.3:a:sourcecodester:simple_food_ordering_system:*:*:*:*:*:*:*:*
Vendors & Products Sourcecodester
Sourcecodester simple Food Ordering System
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Sourcecodester Simple Food Ordering System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T15:06:36.819Z

Reserved: 2026-06-28T18:38:58.106Z

Link: CVE-2026-13571

cve-icon Vulnrichment

Updated: 2026-06-29T15:06:33.571Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T21:00:04Z

Weaknesses