Description
A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
Published: 2026-04-28
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting
Action: Patch immediately
AI Analysis

Impact

The vulnerability resides in the save_user function of the /admin/ajax.php?action=save_user endpoint in SourceCodester Pizzafy Ecommerce System 1.0. By manipulating the Name parameter an attacker can inject arbitrary script code, enabling cross‑site scripting that can be executed remotely from a browser. This flaw permits the attacker to run forged JavaScript in the victim’s context, potentially exfiltrating data or performing actions on the victim’s behalf.

Affected Systems

Systems running SourceCodester Pizzafy Ecommerce System version 1.0 and exposing the /admin/ajax.php?action=save_user endpoint are susceptible. The issue is confined to the handling of the Name field in the save_user function.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. No EPSS information is available, and the vulnerability is not listed in CISA’s KEV catalog. It is exploitable remotely via an HTTP request that supplies a malicious Name value; since the flaw is publicly disclosed, attackers could already be exploiting it. The overall risk level is medium because the vulnerability relies on user input and requires the victim to load the affected page.

Generated by OpenCVE AI on April 29, 2026 at 01:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Pizzafy Ecommerce System to the latest version that contains the XSS fix.
  • If an update is not immediately available, sanitize the Name input on the server side by stripping disallowed tags and encoding special characters before rendering it back to the user.
  • Deploy a strict Content Security Policy that blocks inline script execution from user‑generated content and restricts script sources to trusted origins.

Generated by OpenCVE AI on April 29, 2026 at 01:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation of the argument Name can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
Title SourceCodester Pizzafy Ecommerce System ajax.php save_user cross site scripting
Weaknesses CWE-79
CWE-94
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T18:45:12.251Z

Reserved: 2026-04-28T10:26:35.815Z

Link: CVE-2026-7297

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T22:16:50.557

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T01:30:06Z

Weaknesses