Description
A vulnerability was detected in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /admin/admin_feature.php of the component Add Product Page. The manipulation of the argument product_name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
Published: 2026-04-06
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-site scripting (remote)
Action: Patch
AI Analysis

Impact

The vulnerability is a stored or reflected cross-site scripting flaw that results from unsanitized treatment of the product_name parameter in the Add Product page. An attacker can inject arbitrary JavaScript that will execute in the context of an administrator browsing the page, enabling session hijacking, defacement or authenticated actions.

Affected Systems

The flaw exists in the Online Shoe Store 1.0 application, particularly within the /admin/admin_feature.php file, as hosted by the vendor code-projects. No other affected versions are noted, but the component is part of the add-product functionality and is identified only in 1.0.

Risk and Exploitability

The CVSS score of 4.8 classifies the issue as medium severity; EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely via a crafted request to the product_name field, and the exploit is publicly documented. While no current exploitation activity is tracked, the public nature of the finding and the remote entry point suggest that future automated attacks may target this flaw.

Generated by OpenCVE AI on April 6, 2026 at 14:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Online Shoe Store to a version that includes the XSS fix.
  • Implement input validation or output encoding for the product_name parameter.
  • Ensure that only authorized administrators can access the /admin/admin_feature.php page, preferably over HTTPS.

Generated by OpenCVE AI on April 6, 2026 at 14:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in code-projects Online Shoe Store 1.0. This affects an unknown part of the file /admin/admin_feature.php of the component Add Product Page. The manipulation of the argument product_name results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
Title code-projects Online Shoe Store Add Product admin_feature.php cross site scripting
First Time appeared Code-projects
Code-projects online Shoe Store
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:code-projects:online_shoe_store:*:*:*:*:*:*:*:*
Vendors & Products Code-projects
Code-projects online Shoe Store
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Online Shoe Store
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T18:32:40.211Z

Reserved: 2026-04-05T20:42:08.492Z

Link: CVE-2026-5647

cve-icon Vulnrichment

Updated: 2026-04-06T18:32:36.176Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T11:17:03.547

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5647

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:32:53Z

Weaknesses