CVE-2026-14653

SourceCodester · Simple and Nice Shopping Cart Script

A SQL injection vulnerability in the /admin/mensproductdeletequery.php file of SourceCodester Simple and Nice Shopping Cart Script 1.0 allows remote attackers to execute arbitrary SQL commands.

Executive summary

An SQL injection vulnerability in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables unauthenticated attackers to manipulate backend database queries through unsanitized input parameters.

Vulnerability

The vulnerability exists in the /admin/mensproductdeletequery.php file, where the user_id parameter fails to undergo adequate sanitization. This allows an unauthenticated remote attacker to inject malicious SQL commands, potentially bypassing security controls or manipulating stored data.

Business impact

With a CVSS score of 7.3, this flaw represents a significant risk to the integrity and confidentiality of the shopping cart system. Successful exploitation could allow an attacker to delete or modify product data, compromise administrative accounts, or gain unauthorized access to sensitive customer information stored in the database.

Remediation

Immediate Action: As there is no official patch, administrators should disable the affected functionality or restrict access to the /admin directory to trusted IP addresses only.

Proactive Monitoring: Monitor server logs for abnormal HTTP requests targeting the mensproductdeletequery.php file, specifically looking for URL-encoded SQL injection payloads.

Compensating Controls: Utilize a WAF to inspect and filter incoming traffic for SQL injection strings, specifically targeting the user_id parameter in administrative request paths.

Exploitation status

Public Exploit Available: true

Analyst recommendation

Security teams must prioritize isolating the administrative interface of this application. Given the lack of a vendor-provided patch, the primary defense must be a combination of strict network access controls and robust WAF filtering to prevent unauthorized database interactions.