CVE-2026-7296

Vulnerability

Overview

CVE-2026-7296 describes a stored cross-site scripting (XSS) vulnerability in the SourceCodester Pizzafy Ecommerce System version 1.0. The flaw resides in the save_order function within /admin/ajax.php?action=save_order. The application fails to properly sanitize the first_name argument before storing it, allowing an attacker to inject arbitrary JavaScript code.

Exploitation

The attack can be carried out remotely without requiring authentication, as the vulnerable endpoint is accessible over the network. A proof-of-concept exploit has been publicly released [1], demonstrating how a crafted first_name parameter can be submitted to trigger the XSS. The injected script executes in the context of the admin panel when the stored order data is viewed.

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the browser of an administrator viewing the orders. This can lead to session hijacking, theft of sensitive data, or further compromise of the admin interface. Given the low CVSS score (2.4), the impact is considered limited, but the public availability of exploit code increases the risk for unpatched installations.

Mitigation

As of the publication date, no official patch has been released by SourceCodester. Administrators should sanitize user input in the first_name field and consider applying input validation and output encoding to prevent XSS attacks. Until a fix is available, restricting access to the admin panel and monitoring for suspicious activity are recommended.