Description
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.
Published: 2026-04-29
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in SourceCodester Pizzafy Ecommerce System 1.0 allows an attacker to inject arbitrary SQL through the save_user function in /admin/ajax.php. The vulnerability is a classic SQL injection (CWE‑89) resulting from insufficient input validation (CWE‑74). If successfully exploited, an attacker could read, modify, or delete database records, potentially exposing sensitive user data or disrupting the service.

Affected Systems

The vulnerable component is the SourceCodester Pizzafy Ecommerce System version 1.0, specifically the save_user action in /admin/ajax.php accessed remotely by administrators.

Risk and Exploitability

The flaw carries a CVSS score of 5.1, indicating moderate severity. No EPSS value is available, and it is not listed in the CISA KEV catalog. The exploit has been published and can be launched remotely via HTTP, making them accessible without local access and increasing the likelihood of exploitation.

Generated by OpenCVE AI on April 30, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Pizzafy Ecommerce System if an update addressing this SQL injection flaw has been released.
  • Implement input validation on the save_user endpoint and switch to parameterized queries or ORM methods to eliminate unsanitized user input.
  • Configure a web application firewall or adjust access controls to block suspicious SQL patterns and monitor logs for anomalous database activity.

Generated by OpenCVE AI on April 30, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Wed, 29 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_user of the file /admin/ajax.php?action=save_user. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php save_user sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-30T13:54:07.930Z

Reserved: 2026-04-29T13:17:32.992Z

Link: CVE-2026-7409

cve-icon Vulnrichment

Updated: 2026-04-30T13:53:46.581Z

cve-icon NVD

Status : Deferred

Published: 2026-04-29T22:16:21.920

Modified: 2026-04-30T14:52:54.847

Link: CVE-2026-7409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:45:06Z

Weaknesses