Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-14654: SQL Injection in Shopping Cart Girls Product Delete Endpoint
CVE-2026-14654: SQL Injection in Shopping Cart Girls Product Delete Endpoint
SECURITYHIGHCVE-2026-14654

CVE-2026-14654: SQL Injection in Shopping Cart Girls Product Delete Endpoint

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to exploit the girls product delete query via an unsanitized user_id parameter.

Dylan H.

Security Team

July 5, 2026
3 min read

Affected Products

  • SourceCodester Simple and Nice Shopping Cart Script 1.0

Executive Summary

CVE-2026-14654 is a high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script version 1.0. The flaw is located in /admin/girlsproductdeletequery.php, where the user_id parameter is vulnerable to SQL injection due to a lack of input sanitization.

CVSS Score: 7.3 (High)

This CVE is closely related to CVE-2026-14653 (which affects the men's product delete endpoint in the same application) and shares the same root cause: unsanitized URL parameters fed directly into SQL queries. Both are publicly disclosed with available exploit code.

Technical Details

Vulnerability Type

SQL Injection (CWE-89) in the girls product category delete handler. The user_id parameter is concatenated directly into a SQL query without escaping or parameterization.

Attack Vector

FieldValue
CVE IDCVE-2026-14654
CVSS v3.17.3 (High)
Attack VectorNetwork
Attack ComplexityLow
Authentication RequiredLow
Privileges RequiredLow
ScopeUnchanged

Affected Endpoint

GET/POST /admin/girlsproductdeletequery.php
Parameter: user_id

Example Payload

/admin/girlsproductdeletequery.php?user_id=1' AND SLEEP(5)--
/admin/girlsproductdeletequery.php?user_id=-1 UNION SELECT 1,username,password,4 FROM admin--

Root Cause Analysis

The SourceCodester Shopping Cart Script uses a pattern of directly interpolating GET/POST parameters into SQL queries across multiple delete endpoints. CVE-2026-14652 (login), CVE-2026-14653 (mens product delete), and CVE-2026-14654 (girls product delete) all share the same underlying architectural flaw — the absence of parameterized queries across the codebase.

This suggests a systemic vulnerability pattern rather than isolated instances. Any similar delete, update, or select endpoint in the same application should be treated as potentially vulnerable until audited.

Impact

  • Database exfiltration: UNION-based injection can extract all tables — admin credentials, customer data, orders
  • Data destruction: Malicious DELETE/DROP payloads can wipe product catalogs or customer records
  • Authentication data exposure: Admin password hashes may be retrievable, enabling account takeover
  • Blind injection: Time-based blind injection (e.g., SLEEP()) confirms vulnerability even when errors are suppressed

Affected Versions

ProductVersionStatus
SourceCodester Simple and Nice Shopping Cart Script1.0Vulnerable

Remediation

Given that this is the third SQL injection CVE in the same application in the same disclosure batch, a comprehensive code review is strongly recommended. Immediate steps:

  1. Take the admin panel offline or restrict it to localhost/VPN until all endpoints are patched
  2. Replace all dynamic SQL with PDO prepared statements:
// Vulnerable pattern (found across multiple files)
$sql = "DELETE FROM girls_products WHERE user_id=" . $_GET['user_id'];
mysql_query($sql);
 
// Secure replacement
$stmt = $pdo->prepare("DELETE FROM girls_products WHERE user_id = :id");
$stmt->execute([':id' => (int)$_GET['user_id']]);
  1. Audit the entire codebase — look for any file using $_GET, $_POST, or $_REQUEST concatenated into SQL strings
  2. Enable MySQL error suppression in production (set display_errors = Off) to prevent information leakage
  3. Review database privileges — restrict the app DB user to only the minimum required permissions

Broader Context

CVE-2026-14652, CVE-2026-14653, and CVE-2026-14654 were all disclosed on 2026-07-04 and affect the same product. Organizations running SourceCodester scripts should audit their entire catalog of installed applications, as the vendor's development practices suggest widespread SQL injection risk across their portfolio.

References

  • NVD Entry — CVE-2026-14654
  • CVE-2026-14652 — Related SQLi in login endpoint
  • CVE-2026-14653 — Related SQLi in mens product delete
  • OWASP SQL Injection Prevention Cheat Sheet
  • CWE-89: SQL Injection
#SQL Injection#CVE-2026-14654#SourceCodester#PHP#Web Security#Admin Panel

Related Articles

CVE-2026-14653: SQL Injection in Shopping Cart Men's Product Delete Endpoint

A high-severity SQL injection flaw in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the men's product delete query to remote exploitation via an unsanitized user_id parameter.

3 min read

CVE-2026-14652: SQL Injection in SourceCodester Shopping Cart Admin Login

A high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to manipulate the admin login endpoint via an unsanitized Username parameter.

3 min read

SQL Injection in Multi-Vendor Online Grocery Management System (CVE-2026-14695)

A high-severity SQL injection vulnerability in SourceCodester's Multi-Vendor Online Grocery Management System 1.0 allows remote attackers to manipulate database queries via the Name parameter in the user registration handler.

3 min read
Back to all Security Alerts