Overview
A high-severity SQL injection vulnerability has been identified in SourceCodester Pizzafy E-Commerce System version 1.0. The flaw exists in the AJAX order confirmation endpoint (/admin/ajax.php?action=confirm_order) where the ID parameter is passed directly into a SQL query without sanitization. A remote attacker can exploit this to execute arbitrary SQL commands against the application's database.
The vulnerability is tracked as CVE-2026-14713 with a CVSS base score of 7.3 (High). Notably, a public exploit has already been released, making this a priority remediation for any organization running this software.
Technical Details
| Field | Details |
|---|---|
| CVE ID | CVE-2026-14713 |
| CVSS Score | 7.3 (High) |
| Attack Vector | Network (Remote) |
| Authentication | Admin session (low-privilege admin access sufficient) |
| Affected Endpoint | /admin/ajax.php?action=confirm_order |
| Vulnerable Parameter | ID |
| Vendor | SourceCodester |
| Affected Version | Pizzafy E-Commerce System 1.0 |
| Public Exploit | Yes — released at time of disclosure |
The confirm_order AJAX handler retrieves an order record using a raw SQL query that concatenates the user-supplied ID value directly into the query string. The absence of prepared statements or input validation makes the endpoint trivially injectable.
Impact
Exploitation of CVE-2026-14713 could result in:
- Full database read access — an attacker can dump all tables, including customer PII, order histories, and payment references
- Data manipulation — order records can be altered or deleted, disrupting business operations
- Authentication bypass — depending on application logic, session tokens or admin credentials stored in the database can be extracted
- Potential lateral movement — in shared hosting environments, a database compromise may affect other co-hosted applications
The availability of a public proof-of-concept exploit significantly lowers the barrier to exploitation and increases the urgency of remediation.
Proof of Concept
Attackers can send a crafted POST request to the vulnerable endpoint:
POST /admin/ajax.php?action=confirm_order HTTP/1.1
Host: target.example.com
Content-Type: application/x-www-form-urlencoded
id=1' OR '1'='1Alternatively, time-based blind injection can confirm vulnerability without visible output:
id=1' AND SLEEP(5)--
Automated tools such as sqlmap can fully enumerate the database schema given network access to the endpoint.
Remediation
- Parameterized queries — Replace all raw query string concatenation with PDO prepared statements. The
confirm_orderhandler must bind theIDparameter safely before executing the query. - Admin authentication hardening — Even if exploitation requires an admin session, ensure admin accounts use strong credentials and MFA.
- Input validation — Validate that
IDis a positive integer before any database interaction (intval()or type casting in PHP). - WAF deployment — A web application firewall with SQLi signatures can block common attack patterns.
- Upgrade or replace — As a SourceCodester demo/learning application, consider whether this software is appropriate for production use at all.