Description
A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=add_to_cart. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-04-29
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The SourceCodester Pizzafy Ecommerce System contains a code flaw in the file /admin/ajax.php at the action add_to_cart. Manipulating the pid parameter leads to an SQL injection, which allows an attacker to execute arbitrary SQL commands against the system database. This can result in unauthorized reading, modification, or deletion of data, potentially compromising the confidentiality, integrity, and availability of the application’s data store.

Affected Systems

The affected product is SourceCodester Pizzafy Ecommerce System version 1.0. No additional version information is listed in the CNA data, so all deployments of this version should be assumed vulnerable.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate risk. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector appears to be remote, as the vulnerable endpoint can be accessed via HTTP requests, and no authentication requirement is explicitly mentioned. Therefore, it is inferred that an external attacker could potentially exploit the flaw without prior credentials. Once injected, the attacker could perform database manipulation operations that undermine the application’s security.

Generated by OpenCVE AI on April 30, 2026 at 03:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor’s patch or upgrade to a version where the SQL injection issue has been fixed.
  • If a patch is unavailable, restrict or block external access to the /admin/ajax.php add_to_cart endpoint using firewall rules or web‑application firewall rules, and ensure that only authorized users can reach it.
  • Modify the application to validate and sanitize the pid parameter and use prepared statements (parameterized queries) to eliminate the injection vector.

Generated by OpenCVE AI on April 30, 2026 at 03:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourcecodester
Sourcecodester pizzafy Ecommerce System
Vendors & Products Sourcecodester
Sourcecodester pizzafy Ecommerce System

Wed, 29 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=add_to_cart. The manipulation of the argument pid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
Title SourceCodester Pizzafy Ecommerce System ajax.php add_to_cart sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sourcecodester Pizzafy Ecommerce System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T21:15:14.051Z

Reserved: 2026-04-29T13:17:36.294Z

Link: CVE-2026-7410

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-29T22:16:22.093

Modified: 2026-04-30T14:52:54.847

Link: CVE-2026-7410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:45:06Z

Weaknesses