Sup Online Shopping
Monthly
Cross-site scripting in SourceCodester SUP Online Shopping 1.0 is exploitable via the productName parameter in /admin/productedit.php, where unsanitized input is rendered back to the browser without proper encoding. An attacker already holding high-privilege admin credentials can inject a JavaScript payload that executes when another user interacts with the affected admin page. Publicly available exploit code exists per a referenced GitHub issue, though EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate negligible active exploitation interest at time of analysis.
Cross-site scripting in SourceCodester SUP Online Shopping 1.0 is exploitable via the productName parameter in /admin/productedit.php, where unsanitized input is rendered back to the browser without proper encoding. An attacker already holding high-privilege admin credentials can inject a JavaScript payload that executes when another user interacts with the affected admin page. Publicly available exploit code exists per a referenced GitHub issue, though EPSS at 0.03% (9th percentile) and absence from CISA KEV indicate negligible active exploitation interest at time of analysis.