Description
A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_order of the file /admin/ajax.php?action=save_order. Performing a manipulation of the argument first_name results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Published: 2026-04-28
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

This vulnerability is a stored cross‑site scripting flaw in the save_order operation of the Pizzafy Ecommerce System. An attacker can supply a crafted first_name value that is later rendered in the browser without proper encoding, allowing arbitrary script execution. This can be used to hijack sessions, steal credentials, or deface the site, affecting the confidentiality and integrity of the user’s session data.

Affected Systems

SourceCodester Pizzafy Ecommerce System version 1.0 running the admin/ajax.php handler for the save_order action is affected. No other versions or products are listed as impacted.

Risk and Exploitability

With a CVSS score of 4.8 and no EPSS information, the risk is moderate but tangible. The vulnerability can be exploited remotely and a public exploit exists, though it is not yet catalogued in CISA KEV. The attack is likely performed via a crafted request to the save_order endpoint, requiring the attacker to supply a malicious first_name parameter.

Generated by OpenCVE AI on April 29, 2026 at 02:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to the latest Pizzafy version if an update is available.
  • Implement server‑side validation and output encoding on the first_name parameter to ensure only safe content is stored and displayed.
  • Deploy application‑level security controls such as a content security policy or web‑application firewall to block injected scripts.

Generated by OpenCVE AI on April 29, 2026 at 02:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_order of the file /admin/ajax.php?action=save_order. Performing a manipulation of the argument first_name results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been made public and could be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php save_order cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T12:13:39.571Z

Reserved: 2026-04-28T10:26:26.639Z

Link: CVE-2026-7296

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:50.390

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:15:47Z

Weaknesses