Executive Summary
A high-severity SQL injection vulnerability (CVE-2026-14652) has been identified in SourceCodester Simple and Nice Shopping Cart Script version 1.0. The flaw resides in the admin authentication endpoint (/admin/login.php) where the Username parameter is passed directly to a database query without sanitization, enabling remote exploitation.
CVSS Score: 7.3 (High)
The vulnerability has been publicly disclosed and exploit code is available, meaning unpatched deployments face immediate risk.
Technical Details
Vulnerability Type
Classic SQL Injection (SQLi) via unsanitized user-controlled input in an authentication query. The Username field in /admin/login.php is concatenated directly into a SQL statement without parameterization or escaping.
Attack Vector
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14652 |
| CVSS v3.1 | 7.3 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Authentication Required | None |
| Privileges Required | None |
| Scope | Unchanged |
Affected Endpoint
POST /admin/login.php
Parameter: Username
An attacker can inject a payload such as ' OR '1'='1 into the Username field to bypass authentication or extract data from the underlying database.
Proof of Concept
The following example payload demonstrates authentication bypass:
Username: admin' OR '1'='1' -- -
Password: (anything)
This causes the backend query to evaluate as always-true, granting unauthenticated administrative access.
Impact
A successful exploit allows an attacker to:
- Bypass admin authentication without valid credentials
- Enumerate and extract the entire database, including user accounts and order data
- Potentially escalate to Remote Code Execution via SQL file write operations (environment-dependent)
- Access all administrative functionality of the shopping cart application
Affected Versions
| Product | Version | Status |
|---|---|---|
| SourceCodester Simple and Nice Shopping Cart Script | 1.0 | Vulnerable |
No patch is currently available from the vendor. SourceCodester scripts are commonly deployed on shared hosting and small business environments.
Remediation
Until an official patch is released, administrators should:
- Remove or restrict access to the admin panel via network-level controls (firewall rules,
.htaccessIP allowlist) - Implement a Web Application Firewall (WAF) with SQLi detection rules
- Replace vulnerable queries with prepared statements / parameterized queries:
// Vulnerable (DO NOT USE)
$query = "SELECT * FROM admin WHERE username='" . $_POST['Username'] . "'";
// Secure replacement
$stmt = $pdo->prepare("SELECT * FROM admin WHERE username = ?");
$stmt->execute([$_POST['Username']]);- Audit all input fields in the application for similar unsanitized concatenation patterns
- Monitor access logs for SQL injection patterns (
',OR 1=1,--,UNION SELECT)
Detection
Look for the following indicators in your web server access logs:
POST /admin/login.php
User-Agent patterns: sqlmap, havij, or scripted requests
Parameters containing: ', OR, UNION, SELECT, --, #
Security teams can deploy Snort/Suricata rules targeting SQLi payloads against /admin/login.php.