Description
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.
Published: 2026-04-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the function save_menu of /admin/ajax.php?action=save_menu in SourceCodester Pizzafy Ecommerce System 1.0. It allows an attacker to inject malicious SQL statements by manipulating input parameters, resulting in unauthorized data access, modification, or deletion. The injected code can alter the database state, potentially exposing sensitive customer information or compromising system integrity. The weakness is identified as CWE-74 (Injection) and CWE-89 (SQL Injection).

Affected Systems

The affected product is SourceCodester Pizzafy Ecommerce System version 1.0. No other vendors or versions are listed as affected.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate risk profile, with no EPSS score available and the vulnerability not listed in the CISA KEV catalog. The attack vector is remote, meaning an attacker can trigger the flaw from anywhere with network access to the vulnerable system. Because the exploit is publicly available, the likelihood of exploitation is significant for systems that run this unpatched version.

Generated by OpenCVE AI on April 30, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or upgrade to a newer version of Pizzafy that addresses the injection flaw.
  • If a patch is unavailable, restrict access to the /admin/ajax.php endpoint so that only authenticated administrators can invoke the save_menu action.
  • Modify the application code to use prepared statements or other parameterized query techniques, ensuring that user input cannot alter SQL command structure.

Generated by OpenCVE AI on April 30, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Wed, 29 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php save_menu sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T13:09:46.095Z

Reserved: 2026-04-29T13:17:28.499Z

Link: CVE-2026-7408

cve-icon Vulnrichment

Updated: 2026-04-30T13:09:40.710Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T21:16:22.660

Modified: 2026-04-29T21:16:40.893

Link: CVE-2026-7408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:45:06Z

Weaknesses