CVE-2026-7294 - Vulnerability Details

- SourceCodester Pizzafy Ecommerce System index.php save_settings cross site scripting

Description

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used.

Published: 2026-04-28

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability occurs in the save_settings function of SourceCodester Pizzafy Ecommerce System’s administrative page. By manipulating the Name argument, an attacker can inject arbitrary JavaScript that is reflected to the browser, enabling cross‑site scripting. The consequence is that a malicious user can execute code within the context of the victim’s session, potentially stealing cookies, hijacking sessions, defacing content, or deflecting traffic. The weakness is classified as CWE‑79 and also involves potential code injection as per CWE‑94.

Affected Systems

This issue affects the 1.0 release of the SourceCodester Pizzafy Ecommerce System. Any instance running this version, or earlier releases that have not applied the fix, is susceptible. The vendor is SourceCodester and the affected component is the admin index page handling save_settings.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate threat level. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack can be launched remotely and an exploit has already been published, meaning the risk of real‑world exploitation is present. Attackers do not need privileged access to the system; simply directing a malicious request to /admin/index.php?page=save_settings with a crafted Name value will trigger the flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SourceCodester

Pizzafy Ecommerce System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Sourcecodester

Pizzafy Ecommerce System

100%

Version	Status	Scheme	Platform
`1.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade SourceCodester Pizzafy Ecommerce System to a patched release or apply any vendor‑issued security update for the save_settings module.
Ensure that all user‑supplied data, especially the Name parameter in save_settings, is properly sanitized or escaped before rendering to the browser, using built‑in PHP functions such as htmlspecialchars or a framework’s sanitization utilities.
Deploy a Web Application Firewall or configure Content Security Policy headers for the administrative area to block or mitigate reflected XSS payloads on the affected endpoint.

Generated by OpenCVE AI on April 28, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/joaodrmmd/VulDB-Reports/blob/main/XSS%20-%20Config.pdf
https://vuldb.com/submit/803172
https://vuldb.com/vuln/359954
https://vuldb.com/vuln/359954/cti
https://www.sourcecodester.com/

History

Wed, 29 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 28 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Sourcecodester Sourcecodester pizzafy Ecommerce System
Vendors & Products		Sourcecodester Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used.
Title		SourceCodester Pizzafy Ecommerce System index.php save_settings cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/joaodrmmd/VulDB-Reports/blob/main/XSS%20-%20Config.pdf https://vuldb.com/submit/803172 https://vuldb.com/vuln/359954 https://vuldb.com/vuln/359954/cti https://www.sourcecodester.com/
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Sourcecodester Pizzafy Ecommerce System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-28T18:00:13.486Z

Updated: 2026-04-29T14:25:57.343Z

Reserved: 2026-04-28T10:26:00.761Z

Link: CVE-2026-7294

Vulnrichment

Updated: 2026-04-29T14:25:54.216Z

NVD

Status : Deferred

Published: 2026-04-28T19:37:48.770

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7294

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T23:15:43Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object