Description
A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function get_cart_items of the file /admin/ajax.php?action=get_cart_items. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch ASAP
AI Analysis

Impact

A flaw exists in the get_cart_items function of SourceCodester Pizzafy Ecommerce System 1.0 that allows an attacker to inject arbitrary SQL statements by manipulating the ID parameter of the admin/ajax.php?action=get_cart_items endpoint. The weakness is identified as CWE-74 and CWE-89. An attacker can deliver a specially crafted HTTP request to execute SQL injection against the backend database, potentially exposing sensitive data or altering application state. The public exploit code indicates that the attack vector is remote and does not require authentication.

Affected Systems

SourceCodester Pizzafy Ecommerce System, version 1.0, specifically the /admin/ajax.php script handling the get_cart_items action.

Risk and Exploitability

The CVSS base score is 5.3, indicating medium severity. The EPSS score is less than 1% and the vulnerability is not listed in CISA KEV. Exploitation requires only an unauthenticated HTTP request to a publicly accessible endpoint, and publicly available exploit code demonstrates the feasibility of this attack for an attacker with remote network access.

Generated by OpenCVE AI on April 28, 2026 at 23:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any official update or patch for the Pizzafy Ecommerce System.
  • Modify the application to sanitize the ID parameter by using parameterized queries or proper escaping before it is incorporated into SQL statements.
  • Restrict the database account used by the application to the least privileges necessary for its normal operation.

Generated by OpenCVE AI on April 28, 2026 at 23:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function get_cart_items of the file /admin/ajax.php?action=get_cart_items. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.
Title SourceCodester Pizzafy Ecommerce System ajax.php get_cart_items sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-05T20:21:21.943Z

Reserved: 2026-04-28T05:23:13.636Z

Link: CVE-2026-7264

cve-icon Vulnrichment

Updated: 2026-04-29T15:22:28.658Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T10:16:03.883

Modified: 2026-05-05T21:16:24.117

Link: CVE-2026-7264

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:30:06Z

Weaknesses