Description
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. The impacted element is the function save_order of the file /admin/ajax.php?action=save_order. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Published: 2026-04-28
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Patch
AI Analysis

Impact

The affected component is the save_order action in and admin/ajax.php of SourceCodester Pizzafy Ecommerce System 1.0. By manipulating the ID argument, an attacker can inject arbitrary SQL statements. This flaw allows the execution of unauthenticated, remote SQL queries that may read, modify, or delete data in the database, potentially exposing sensitive customer information or disrupting order processing. The weakness exhibits characteristics of CWE‑74 (Improper Neutralization of Input During Web Page Generation) and CWE‑89 (SQL Injection).

Affected Systems

SourceCodester Pizzafy Ecommerce System version 1.0 is vulnerable. No other versions are noted as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the vulnerability is publicly documented and can be triggered remotely via the /admin/ajax.php endpoint. It is not listed in CISA’s KEV catalog, yet the availability of public exploit scripts means an attacker can target this system with relative ease. The attack would require network access to the server hosting the application and the ability to send crafted HTTP requests to the vulnerable endpoint.

Generated by OpenCVE AI on April 28, 2026 at 12:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch or upgrade to a fixed version of SourceCodester Pizzafy Ecommerce System that eliminates the vulnerable ID handling in save_order.
  • Refactor the save_order function to use prepared statements or parameterized queries and validate all input to prevent arbitrary SQL execution.
  • Restrict access to /admin/ajax.php by enforcing authentication, role‑based permissions, or IP filtering, and monitor traffic for anomalous SQL‑like payloads.

Generated by OpenCVE AI on April 28, 2026 at 12:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. The impacted element is the function save_order of the file /admin/ajax.php?action=save_order. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php save_order sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T10:45:11.835Z

Reserved: 2026-04-28T05:23:20.821Z

Link: CVE-2026-7266

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T12:16:02.120

Modified: 2026-04-28T12:16:02.120

Link: CVE-2026-7266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:30Z

Weaknesses