Description
A security flaw has been discovered in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function delete_cart of the file /admin/ajax.php?action=delete_cart. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-04-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

SourceCodester Pizzafy Ecommerce System 1.0 allows an attacker to perform arbitrary SQL queries through the delete_cart endpoint by manipulating the ID parameter, which can compromise the database and lead to data disclosure, modification, or deletion.

Affected Systems

The vulnerability is present in SourceCodester Pizzafy Ecommerce System version 1.0. No other affected versions are listed.

Risk and Exploitability

The CVSS score is 6.9 and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, but it has been publicly disclosed and a proof‑of‑concept exploit is available. Attackers can trigger the flaw remotely via crafted HTTP requests that alter the ID argument of the delete_cart action.

Generated by OpenCVE AI on April 28, 2026 at 19:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest version of SourceCodester Pizzafy Ecommerce System or apply the vendor‑provided patch that mitigates the delete_cart SQL injection. If a patch is unavailable, contact SourceCodester support for a fix.
  • Add server‑side validation to the ID parameter of the delete_cart endpoint, accepting only numeric values within a safe range, and enforce prepared statements or parameterized queries to eliminate unfiltered user input from SQL statements.
  • Configure or deploy a web application firewall that detects and blocks SQL injection attempts targeting the delete_cart action, and consider restricting administrative access to trusted IP ranges.

Generated by OpenCVE AI on April 28, 2026 at 19:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function delete_cart of the file /admin/ajax.php?action=delete_cart. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.
Title SourceCodester Pizzafy Ecommerce System ajax.php delete_cart sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T14:16:25.356Z

Reserved: 2026-04-27T15:43:07.145Z

Link: CVE-2026-7224

cve-icon Vulnrichment

Updated: 2026-04-29T14:16:21.209Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T06:16:04.933

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses