Executive Summary
CVE-2026-14654 is a high-severity SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script version 1.0. The flaw is located in /admin/girlsproductdeletequery.php, where the user_id parameter is vulnerable to SQL injection due to a lack of input sanitization.
CVSS Score: 7.3 (High)
This CVE is closely related to CVE-2026-14653 (which affects the men's product delete endpoint in the same application) and shares the same root cause: unsanitized URL parameters fed directly into SQL queries. Both are publicly disclosed with available exploit code.
Technical Details
Vulnerability Type
SQL Injection (CWE-89) in the girls product category delete handler. The user_id parameter is concatenated directly into a SQL query without escaping or parameterization.
Attack Vector
| Field | Value |
|---|---|
| CVE ID | CVE-2026-14654 |
| CVSS v3.1 | 7.3 (High) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Authentication Required | Low |
| Privileges Required | Low |
| Scope | Unchanged |
Affected Endpoint
GET/POST /admin/girlsproductdeletequery.php
Parameter: user_id
Example Payload
/admin/girlsproductdeletequery.php?user_id=1' AND SLEEP(5)--
/admin/girlsproductdeletequery.php?user_id=-1 UNION SELECT 1,username,password,4 FROM admin--
Root Cause Analysis
The SourceCodester Shopping Cart Script uses a pattern of directly interpolating GET/POST parameters into SQL queries across multiple delete endpoints. CVE-2026-14652 (login), CVE-2026-14653 (mens product delete), and CVE-2026-14654 (girls product delete) all share the same underlying architectural flaw — the absence of parameterized queries across the codebase.
This suggests a systemic vulnerability pattern rather than isolated instances. Any similar delete, update, or select endpoint in the same application should be treated as potentially vulnerable until audited.
Impact
- Database exfiltration: UNION-based injection can extract all tables — admin credentials, customer data, orders
- Data destruction: Malicious DELETE/DROP payloads can wipe product catalogs or customer records
- Authentication data exposure: Admin password hashes may be retrievable, enabling account takeover
- Blind injection: Time-based blind injection (e.g.,
SLEEP()) confirms vulnerability even when errors are suppressed
Affected Versions
| Product | Version | Status |
|---|---|---|
| SourceCodester Simple and Nice Shopping Cart Script | 1.0 | Vulnerable |
Remediation
Given that this is the third SQL injection CVE in the same application in the same disclosure batch, a comprehensive code review is strongly recommended. Immediate steps:
- Take the admin panel offline or restrict it to localhost/VPN until all endpoints are patched
- Replace all dynamic SQL with PDO prepared statements:
// Vulnerable pattern (found across multiple files)
$sql = "DELETE FROM girls_products WHERE user_id=" . $_GET['user_id'];
mysql_query($sql);
// Secure replacement
$stmt = $pdo->prepare("DELETE FROM girls_products WHERE user_id = :id");
$stmt->execute([':id' => (int)$_GET['user_id']]);- Audit the entire codebase — look for any file using
$_GET,$_POST, or$_REQUESTconcatenated into SQL strings - Enable MySQL error suppression in production (set
display_errors = Off) to prevent information leakage - Review database privileges — restrict the app DB user to only the minimum required permissions
Broader Context
CVE-2026-14652, CVE-2026-14653, and CVE-2026-14654 were all disclosed on 2026-07-04 and affect the same product. Organizations running SourceCodester scripts should audit their entire catalog of installed applications, as the vendor's development practices suggest widespread SQL injection risk across their portfolio.