Description
A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument item_number results in sql injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-07-12
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AojiaoZero Antaris 1.0 contains a flaw in the PayPal IPN Payment Handler's _rewardPurchase function within ipn.php. The item_number argument is not properly validated, allowing an attacker to inject arbitrary SQL through that parameter. Because the injection can be performed remotely, an adversary could read, modify, or delete database records related to payment processing, compromising confidentiality, integrity, and availability of transaction data.

Affected Systems

The vulnerable component is Antaris 1.0 from the vendor AojiaoZero. No additional versions are listed, indicating that the 1.0 release is the only affected product at this time.

Risk and Exploitability

The CVSS score of 5.3 classifies the vulnerability as moderate. The EPSS score is not available, and the issue is not listed in CISA's KEV catalog, implying no known exploitation activity. The attack vector is remote, and no authentication is required per the description, meaning anyone able to direct traffic to the PayPal IPN endpoint could craft a malicious item_number payload. An exploit can succeed by sending a specially constructed request to /ipn.php, and the lack of defensive mechanisms such as parameterized queries or input filtering increases the feasibility of successful injection.

Generated by OpenCVE AI on July 12, 2026 at 21:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Antaris once the vendor releases a fix; if no patch is available, remove the vulnerable function or replace the code with a version that uses prepared statements and validates item_number.
  • Restrict access to the /ipn.php endpoint to only PayPal's IP addresses using firewall or web server configuration, limiting exposure to external input.
  • Deploy a web application firewall ruleset that detects and blocks adversarial SQL injection payloads targeting the item_number parameter, and log any such attempts for further analysis.

Generated by OpenCVE AI on July 12, 2026 at 21:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 12 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument item_number results in sql injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Title AojiaoZero Antaris PayPal IPN Payment ipn.php _rewardPurchase sql injection
First Time appeared Aojiaozero
Aojiaozero antaris
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:aojiaozero:antaris:*:*:*:*:*:*:*:*
Vendors & Products Aojiaozero
Aojiaozero antaris
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}


Subscriptions

Aojiaozero Antaris
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-07-12T12:45:07.222Z

Reserved: 2026-07-11T12:49:06.454Z

Link: CVE-2026-15502

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T22:00:13Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')