Description
A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-28
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Cross Site Scripting
Action: Assess Impact
AI Analysis

Impact

A cross‑site scripting vulnerability exists in the SourceCodester Pizzafy Ecommerce System version 1.0, within the save_menu function of /admin/ajax.php?action=save_menu. By manipulating the Name argument, an attacker can inject arbitrary JavaScript that will execute in the browser of users accessing the menu administration interface. This flaw is categorized under CWE‑79 and can lead to session hijacking, defacement, or theft of sensitive data.

Affected Systems

The affected product is SourceCodester Pizzafy Ecommerce System 1.0. No later versions are listed as vulnerable, and a specific patch is not currently available from the vendor.

Risk and Exploitability

The CVSS score of 4.8 reflects moderate severity. The vulnerability can be triggered remotely via the /admin/ajax.php?action=save_menu endpoint, and the CVE description does not specify whether authentication is required, leaving this detail uncertain. EPSS information is not available, and the issue is not listed in the CISA KEV catalog. Attackers can exploit it by submitting a payload in the Name field when adding or editing a menu item, causing malicious scripts to execute in the context of the application for all users who view that menu.

Generated by OpenCVE AI on April 29, 2026 at 01:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑provided patch or upgrade to a version that removes the XSS flaw.
  • Ensure that the Name field in the save_menu function is validated and sanitized, and that output is properly encoded to eliminate script injection.
  • Implement a Content Security Policy that forbids inline scripts and limits script sources to approved domains.

Generated by OpenCVE AI on April 29, 2026 at 01:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php save_menu cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T18:15:11.370Z

Reserved: 2026-04-28T10:26:16.361Z

Link: CVE-2026-7295

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-28T19:37:48.923

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses