EUVD-2026-20833
GHSA-2mp7-7vgg-f35r
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A vulnerability was detected in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/admin_running.php. Performing a manipulation of the argument product_name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used.
AnalysisAI
Cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated remote attackers with administrative privileges to inject malicious scripts via the product_name parameter in /admin/admin_running.php, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability, though it carries a low CVSS score of 2.4 due to restricted attack vector (high privileges required, user interaction needed) and limited impact (integrity only).
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | Despite the low CVSS score of 2.4, this vulnerability presents minimal real-world risk due to multiple restrictive factors: high privilege requirement (PR:H) eliminates unauthorized remote exploitation, user interaction requirement (UI:R) breaks automation, and integrity-only impact (I:L, no confidentiality or availability) means successful exploitation cannot compromise system security or availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with compromised administrative credentials crafts a malicious URL containing JavaScript payload in the product_name parameter (e.g., /admin/admin_running.php?product_name=<script>...</script>) and tricks another administrator into clicking the link via phishing email or message. Upon the victim admin clicking the link, the injected script executes in their browser session with their administrative privileges, allowing the attacker to steal session cookies, perform unauthorized product modifications, or pivot to other administrative functions. … |
| Remediation | Upgrade code-projects Online Shoe Store to a patched version released after version 1.0; consult the vendor at https://code-projects.org/ for specific fixed version availability. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today