SourceCodester Pizzafy Ecommerce System ajax.php get_cart_items sql injection

A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function get_cart_items of the file /admin/ajax.php?action=get_cart_items. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

Problem type

Affected products

SourceCodester

Pizzafy Ecommerce System

1.0 - AFFECTED

References

VDB-359915 | SourceCodester Pizzafy Ecommerce System ajax.php get_cart_items sql injection

https://vuldb.com/vuln/359915

vdb-entrytechnical-description

VDB-359915 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/359915/cti

signaturepermissions-required

Submit #802437 | SourceCodester Pizzafy Ecommerce System 1.0 SQL Injection

https://vuldb.com/submit/802437

third-party-advisory

github.com

https://github.com/fernando-mengali/vulndb-submissions/blob/main/06-vul-SQLI.md

exploit

sourcecodester.com

https://www.sourcecodester.com/

product

GitHub Security Advisories

GHSA-r2qv-89q7-cq7c

A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the...

https://github.com/advisories/GHSA-r2qv-89q7-cq7c

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-7264

github.com

https://github.com/fernando-mengali/vulndb-submissions/blob/main/06-vul-SQLI.md

vuldb.com

https://vuldb.com/submit/802437

vuldb.com

https://vuldb.com/vuln/359915

vuldb.com

https://vuldb.com/vuln/359915/cti

sourcecodester.com

https://www.sourcecodester.com

github.com

https://github.com/advisories/GHSA-r2qv-89q7-cq7c

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-7264

Click to expand

{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-7264",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-04-28T09:30:14.143Z",
    "dateReserved": "2026-04-28T05:23:13.636Z",
    "datePublished": "2026-04-28T09:30:14.143Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-04-28T09:30:14.143Z"
      },
      "title": "SourceCodester Pizzafy Ecommerce System ajax.php get_cart_items sql injection",
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function get_cart_items of the file /admin/ajax.php?action=get_cart_items. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks."
        }
      ],
      "affected": [
        {
          "vendor": "SourceCodester",
          "product": "Pizzafy Ecommerce System",
          "versions": [
            {
              "version": "1.0",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "SQL Injection",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Injection",
              "cweId": "CWE-74",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/vuln/359915",
          "name": "VDB-359915 | SourceCodester Pizzafy Ecommerce System ajax.php get_cart_items sql injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ]
        },
        {
          "url": "https://vuldb.com/vuln/359915/cti",
          "name": "VDB-359915 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/submit/802437",
          "name": "Submit #802437 | SourceCodester Pizzafy Ecommerce System 1.0 SQL Injection",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/fernando-mengali/vulndb-submissions/blob/main/06-vul-SQLI.md",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.sourcecodester.com/",
          "tags": [
            "product"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "baseScore": 6.5
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-04-28T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-04-28T02:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-04-28T07:28:33.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Fernando Mengali (VulDB User)",
          "type": "reporter"
        }
      ],
      "tags": [
        "x_freeware"
      ]
    }
  }
}