CVE-2026-7410

Vulnerability

Analysis

CVE-2026-7410 describes an SQL injection vulnerability in SourceCodester Pizzafy Ecommerce System version 1.0. The flaw resides in the /admin/ajax.php?action=add_to_cart endpoint, where the pid parameter is not properly sanitized before being used in a database query. The official description and the public exploit details confirm that the injection occurs via a POST request to this endpoint, with the pid parameter containing malicious SQL payloads [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication, as the endpoint is accessible to any user who can reach the web application. The provided proof-of-concept demonstrates an error-based SQL injection technique using the extractvalue() function to trigger database errors that reveal information. The payload shown in the reference appends SQL commands to the pid parameter, such as pid=9 AND extractvalue(1, concat(0x7e, (SELECT table_name FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1))) -- [1]. This technique allows the attacker to extract data row by row by row from the database.

Impact

Successful exploitation enables an attacker to read arbitrary data from the database, including table names, column names, and potentially sensitive user or order information. The error-based approach means the attacker can retrieve data through the application's error messages, bypassing typical access controls. The vulnerability is rated as Medium severity (CVSS 6.3) but the public exploit disclosure increases the risk of widespread use [1].

Mitigation

As of the publication date, no official patch has been released by SourceCodester. The vendor's website provides the software for download but does not mention a fix [2]. Users of Pizzafy Ecommerce System 1.0 should apply input validation and parameterized queries to the pid parameter as a workaround, or consider upgrading to a patched version if one becomes available.