CVE-2026-7295

Vulnerability

Description

The vulnerability resides in the save_menu function of the /admin/ajax.php?action=save_menu endpoint in SourceCodester Pizzafy Ecommerce System 1.0. The application does not properly sanitize the Name argument, allowing an attacker to inject arbitrary JavaScript or HTML code. This is a classic case of cross-site scripting (XSS) caused by insufficient input validation [1].

Exploitation

Conditions

The attack can be launched remotely without requiring authentication, as the affected endpoint appears to be accessible to any visitor. The exploit has been publicly disclosed in a report [1], lowering the barrier for potential attackers. No special privileges or network position are needed beyond the ability to send a crafted HTTP request to the menu-saving functionality.

Impact

If exploited, an attacker can execute arbitrary client-side scripts in the context of an administrator's browser session. This could lead to session hijacking, defacement of the admin panel, or unauthorized actions on behalf of the logged-in administrator. However, the CVSS score of 2.7} results in a CVSS base score of 2.4 (Low), indicating that the impact is limited, likely because the attack requires user interaction (the admin viewing the stored payload) and the affected scope may be confined to the admin interface.

Mitigation and

Patch Status

As of the publication date (2026-04-28), there is no mention of an official patch from the vendor. The project is hosted on SourceCodester [2], which provides free source code and tutorials but does not always maintain regular security updates. Users should sanitize the Name parameter using proper output encoding or a reliable HTML escaping library as a temporary workaround until a patch is released.