CVE-2026-7225 - Vulnerability Details

- SourceCodester Pizzafy Ecommerce System ajax.php delete_menu sql injection

Description

A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function delete_menu of the file /admin/ajax.php?action=delete_menu. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

Published: 2026-04-28

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the delete_menu function of the admin interface of SourceCodester Pizzafy Ecommerce System 1.0 allows a malicious actor to manipulate the ID query parameter sent to /admin/ajax.php?action=delete_menu. By inserting arbitrary SQL code into this parameter, the application can be coerced into executing unintended database statements. The vulnerability is a classic SQL injection flaw (CWE‑74 and CWE‑89) that could enable unauthorized data modification, exposure, or deletion, thereby compromising the confidentiality and integrity of the system’s data.

Affected Systems

The affected product is SourceCodester Pizzafy Ecommerce System version 1.0. Only this version is documented as vulnerable; older or newer releases are not listed as affected. The specific exploit target is the delete_menu action within the admin/ajax.php script, which is publicly reachable via the web interface.

Risk and Exploitability

The CVSS score of 6.9 signals a moderate severity risk, while the EPSS score of less than 1 % indicates a very low exploit probability. The flaw is not listed in the CISA KEV catalog, so no known active exploitation has been reported. Based on the description, the attack can be launched remotely over HTTP, and no authentication or privileged access is mentioned; therefore it is inferred that unauthenticated users with network access to the application could potentially execute the injection. No additional prerequisites are identified, making the vulnerability broadly exploitable for any user who can reach the delete_menu endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pizzafy Ecommerce System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pizzafy Ecommerce System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply vendor patch or upgrade to a version that sanitizes the ID parameter or uses parameterized queries in delete_menu.
If no patch is immediately available, restrict network access to the /admin/ajax.php endpoint by whitelisting trusted IP addresses or applying a firewall rule.
Implement input validation to ensure that the ID supplied is numeric before inclusion in SQL, and review other database interaction code for similar injection risks.

Generated by OpenCVE AI on April 28, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/fernando-mengali/vulndb-submissions/blob/main/02-vul-SQLI.md
https://vuldb.com/submit/802403
https://vuldb.com/vuln/359825
https://vuldb.com/vuln/359825/cti
https://www.sourcecodester.com/

History

Wed, 29 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester pizzafy Ecommerce System
Vendors & Products		Sourcecodester Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function delete_menu of the file /admin/ajax.php?action=delete_menu. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title		SourceCodester Pizzafy Ecommerce System ajax.php delete_menu sql injection
Weaknesses		CWE-74 CWE-89
References		https://github.com/fernando-mengali/vulndb-submissions/blob/main/02-vul-SQLI.md https://vuldb.com/submit/802403 https://vuldb.com/vuln/359825 https://vuldb.com/vuln/359825/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pizzafy Ecommerce System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-28T04:30:16.664Z

Updated: 2026-04-29T14:44:59.194Z

Reserved: 2026-04-27T15:43:11.953Z

Link: CVE-2026-7225

Vulnrichment

Updated: 2026-04-29T14:44:47.382Z

NVD

Status : Deferred

Published: 2026-04-28T06:16:05.157

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7225

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T23:30:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object