CVE-2026-10704
Description
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 allows remote attackers to bypass authentication and gain administrative control.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 allows remote attackers to bypass authentication and gain administrative control.
Vulnerability
A SQL injection vulnerability exists in the login function of SourceCodester Pizzafy E-Commerce System version 1.0, specifically within the /admin/admin_class_novo.php file and accessible via the /admin/ajax.php?action=login endpoint. The Username argument is directly concatenated into a SQL query without sanitization, allowing for manipulation [1].
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending a crafted Username parameter to the /admin/ajax.php?action=login endpoint. The injected payload breaks out of the single-quote string context in the SQL query, enabling arbitrary SQL logic execution [1].
Impact
Successful exploitation allows an attacker to bypass administrator authentication, log in as any user without credentials, enumerate user credentials, and gain full administrative control over the system. It may also be chained with other vulnerabilities for remote code execution [1].
Mitigation
SourceCodester Pizzafy E-Commerce System version 1.0 is affected. A patch or fixed version is not yet disclosed in the available references. The vendor homepage is provided [2].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The username POST parameter is directly concatenated into a MySQL SELECT query without sanitization or escaping [ref_id=1]."
Attack vector
The vulnerability is in the login function of the file /admin/admin_class_novo.php, accessible via the /admin/ajax.php?action=login endpoint [ref_id=1]. An attacker can send a POST request with a manipulated 'username' argument. This argument can contain SQL injection payloads that break out of the string context. Since the router performs no authentication check, this allows for remote exploitation without prior credentials [ref_id=1].
Affected code
The vulnerability resides in the login() function within /admin/admin_class_novo.php, exposed via the /admin/ajax.php?action=login endpoint [ref_id=1]. The affected code directly concatenates the username POST parameter into a MySQL SELECT query: "SELECT * FROM users WHERE username = '$username'" [ref_id=1].
What the fix does
The advisory recommends using prepared statements for all authentication queries to prevent SQL injection. This involves preparing the SQL statement with placeholders and then binding the user-supplied username to it. This ensures that the input is treated as data rather than executable SQL code. Additionally, implementing rate limiting, CAPTCHA, multi-factor authentication, audit logging, account lockout, and input validation are suggested remediation steps [ref_id=1].
Preconditions
- networkThe target system must be accessible over the network.
- inputThe attacker must be able to send a POST request to the /admin/ajax.php?action=login endpoint with a crafted 'username' parameter.
Reproduction
POST /admin/ajax.php?action=login HTTP/1.1 Host: TARGET Content-Type: application/x-www-form-urlencoded
username=admin' OR '1'='1'-- -&password=anything
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.