Description
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function delete_category of the file /admin/ajax.php?action=delete_category. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
Published: 2026-04-28
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection – potential unauthorized database access or modification
Action: Apply Patch
AI Analysis

Impact

A function in the admin area that deletes categories accepts an ID parameter without proper input validation, allowing attackers to inject arbitrary SQL commands. This flaw permits remote exploitation, potentially leading to data exposure, corruption, or unauthorized actions within the database. The weakness is rooted in improper handling of user-supplied input, evidenced by the CWE identifiers for invalid page input handling and SQL injection.

Affected Systems

SourceCodester Pizzafy Ecommerce System version 1.0 is affected. The vulnerability resides in the delete_category action within admin/ajax.php of this product.

Risk and Exploitability

The vulnerability scores a CVSS of 5.1, indicating a moderate impact. The EPSS score is unavailable, and it is not listed in CISA's KEV catalog. Attackers can exploit it remotely, and the exploit is publicly available.

Generated by OpenCVE AI on April 28, 2026 at 23:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official patch or update to the Pizzafy Ecommerce System that resolves the delete_category SQL injection.
  • If no patch is available, implement strict input validation for the 'ID' parameter—accept only numeric values and sanitize before use in SQL statements.
  • Configure the database account used by the application with the least privileges required, limiting the effect of any injected query.

Generated by OpenCVE AI on April 28, 2026 at 23:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function delete_category of the file /admin/ajax.php?action=delete_category. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php delete_category sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T13:34:28.157Z

Reserved: 2026-04-28T10:25:57.480Z

Link: CVE-2026-7293

cve-icon Vulnrichment

Updated: 2026-04-29T13:34:23.161Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T19:37:48.603

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7293

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses