Description
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is the function get_cart_count of the file /admin/ajax.php?action=get_cart_count. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Published: 2026-04-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The flaw resides in the get_cart_count function of /admin/ajax.php?action=get_cart_count within SourceCodester Pizzafy Ecommerce System 1.0. Manipulating the ID parameter allows an attacker to inject arbitrary SQL statements. This can compromise the confidentiality and integrity of the database, as the injected code may run with the privileges of the web application.

Affected Systems

SourceCodester Pizzafy Ecommerce System 1.0 is affected. No other vendors, products, or versions appear in the CNA data.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog. Attackers can reach the vulnerable endpoint remotely, and an exploit has already been published, making the risk significant for exposed deployments.

Generated by OpenCVE AI on April 28, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or update that addresses the SQL injection in the get_cart_count function.
  • Rewrite the get_cart_count handler to use parameterized queries or prepared statements, ensuring the ID parameter is safely escaped.
  • Restrict access to /admin/ajax.php by enforcing authentication, IP whitelisting, or placing the admin interface behind a firewall or VPN.

Generated by OpenCVE AI on April 28, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is the function get_cart_count of the file /admin/ajax.php?action=get_cart_count. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php get_cart_count sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T14:15:53.135Z

Reserved: 2026-04-27T15:43:21.480Z

Link: CVE-2026-7228

cve-icon Vulnrichment

Updated: 2026-04-28T14:15:45.843Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T06:16:05.710

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7228

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:30:06Z

Weaknesses