Executive Summary
CVE-2026-14653 is a high-severity SQL injection vulnerability discovered in SourceCodester Simple and Nice Shopping Cart Script 1.0. The vulnerable endpoint is /admin/mensproductdeletequery.php, where the user_id parameter is not sanitized before being used in a database query.
CVSS Score: 7.3 (High)
Public exploit code is available. This vulnerability can be exploited remotely without authentication (depending on whether the admin panel itself requires login), making it a high-priority finding for any deployment of this software.
Technical Details
Vulnerability Type
SQL Injection (CWE-89) — a classic unsanitized parameter concatenation vulnerability in a product deletion workflow. The user_id parameter sent to the delete query endpoint is not validated or parameterized.
Attack Vector
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14653 |
| CVSS v3.1 | 7.3 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Authentication Required | Low (admin session, if protected) |
| Privileges Required | Low |
| Scope | Unchanged |
Affected Endpoint
GET/POST /admin/mensproductdeletequery.php
Parameter: user_id
The application passes user_id directly into a DELETE or SELECT SQL query without escaping, allowing an attacker to inject arbitrary SQL clauses.
Example Payload
/admin/mensproductdeletequery.php?user_id=1 OR 1=1--
/admin/mensproductdeletequery.php?user_id=1 UNION SELECT username,password,3,4 FROM admin--
Impact
Exploitation of this vulnerability could allow an attacker to:
- Exfiltrate all database records including product inventory, customer data, and admin credentials
- Delete arbitrary records across tables by manipulating the injected WHERE clause
- Enumerate database structure (table names, column names) via UNION-based or error-based injection
- Potentially achieve Remote Code Execution via
INTO OUTFILEif the MySQL user has FILE privilege
The product deletion context is particularly dangerous because a destructive payload (DROP TABLE, mass DELETE) could result in full data loss.
Affected Versions
| Product | Version | Status |
|---|---|---|
| SourceCodester Simple and Nice Shopping Cart Script | 1.0 | Vulnerable |
Remediation
No vendor patch is available. Apply the following mitigations immediately:
- Restrict admin panel access to trusted IP addresses at the web server or firewall level
- Use prepared statements for all database queries:
// Vulnerable
$query = "DELETE FROM mens_products WHERE user_id=" . $_GET['user_id'];
// Secure replacement
$stmt = $pdo->prepare("DELETE FROM mens_products WHERE user_id = ?");
$stmt->execute([intval($_GET['user_id'])]);- Validate and cast the
user_idparameter — it should always be an integer:
$user_id = filter_input(INPUT_GET, 'user_id', FILTER_VALIDATE_INT);
if ($user_id === false || $user_id === null) {
http_response_code(400);
exit('Invalid input');
}- Deploy a WAF with SQL injection detection profiles
- Restrict database user privileges — the web application DB user should not have
DROP,FILE, orGRANTprivileges
Detection
Monitor web logs for injection patterns targeting this endpoint:
/admin/mensproductdeletequery.php?user_id=
Patterns: UNION, SELECT, DROP, OR 1, --, #, 0x