VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 11, 2022· Updated Aug 3, 2024

CVE-2022-27168

CVE-2022-27168

Description

LiteCart prior to 2.4.2 contains a stored XSS vulnerability allowing remote attackers to inject arbitrary scripts via unsanitized user input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

LiteCart prior to 2.4.2 contains a stored XSS vulnerability allowing remote attackers to inject arbitrary scripts via unsanitized user input.

Vulnerability

LiteCart versions prior to 2.4.2 are vulnerable to a stored cross-site scripting (XSS) issue. The flaw exists in the admin order editing interface where user-supplied input from $_POST['comments'][$key]['text'] and $_POST['items'][$key]['name'] is echoed without HTML escaping [2]. This allows an attacker to inject arbitrary JavaScript or HTML that is stored and later executed in the context of an administrator's browser session.

Exploitation

An attacker can exploit this vulnerability by submitting crafted input through the order comment or item name fields. No authentication is required if the attacker can submit data via a form that is processed by the vulnerable endpoint (e.g., via a direct POST request). The injected script is stored in the database and executed when an administrator views the affected order page in the admin panel [1]. The attack requires user interaction (the admin viewing the page) but no special privileges beyond the ability to submit data.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the web browser of an authenticated administrator. This can lead to session hijacking, theft of sensitive data (e.g., customer information, admin credentials), defacement, or further attacks against the e-commerce platform. The CVSS v3 score is 6.1 (Medium) with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [1].

Mitigation

The vulnerability is fixed in LiteCart version 2.4.2, released on or before July 4, 2022 [1]. The fix is implemented in commit 050fea86cc162f3da2f7824f586602125a0f6d63, which applies functions::escape_html() to the affected output fields [2]. Users should upgrade to the latest version immediately. No workarounds are documented; if upgrading is not possible, administrators should restrict access to the admin panel and avoid viewing orders from untrusted sources.

References
  1. LiteCart vulnerable to cross-site scripting
  2. * Escape HTML characters · litecart/litecart@050fea8

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Litecart/Litecartllm-fuzzy2 versions
    <2.4.2+ 1 more
    • (no CPE)range: <2.4.2
    • (no CPE)range: versions prior to 2.4.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing HTML escaping of user-supplied POST data when rendering order details in the admin panel allows stored cross-site scripting."

Attack vector

An attacker who can submit a crafted order (e.g., via the checkout process) can inject arbitrary HTML/JavaScript into POST fields such as comment text, item names, SKU, weight class, or dimension class. When an administrator views the order in the admin panel, the unsanitized input is rendered directly into the page, causing the injected script to execute in the admin's browser session [ref_id=1].

Affected code

The commit [ref_id=1] modifies `admin/` order-editing templates. The vulnerable lines directly echo `$_POST` values (e.g., `$_POST['comments'][$key]['text']`, `$_POST['items'][$key]['name']`, `$_POST['items'][$key]['sku']`, `$_POST['items'][$key]['weight_class']`, `$_POST['items'][$key]['dim_class']`, and option field names/values) without HTML escaping.

What the fix does

The patch wraps every echoed `$_POST` value with `functions::escape_html()` [ref_id=1]. For example, `echo nl2br($_POST['comments'][$key]['text'])` becomes `echo nl2br(functions::escape_html($_POST['comments'][$key]['text']))`. This HTML-encodes special characters such as `<`, `>`, `"`, and `&`, preventing them from being interpreted as markup and thus closing the stored XSS vector.

Preconditions

  • inputAn attacker must be able to submit an order containing malicious HTML/JavaScript in POST fields (e.g., comment text, item name, SKU, weight class, dimension class).
  • authAn administrator must view the crafted order in the admin panel.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.