Plattform
php
Komponente
online-shoe-store
Behoben in
1.0.1
A cross-site scripting (XSS) vulnerability has been identified in Online Shoe Store versions 1.0.0 through 1.0. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and data. The vulnerability resides within the /admin/adminrunning.php file, specifically related to the handling of the productname argument. A public exploit is now available, increasing the risk of exploitation.
Successful exploitation of CVE-2026-5834 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Online Shoe Store application. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data such as login credentials or personal information. Given the administrative context of /admin/admin_running.php, an attacker could potentially gain access to administrative functionalities if a user with administrative privileges is targeted. The public availability of an exploit significantly increases the likelihood of widespread exploitation.
CVE-2026-5834 is currently considered a LOW severity vulnerability due to its CVSS score of 2.4. However, the availability of a public proof-of-concept (PoC) significantly elevates the risk. While no active exploitation campaigns have been publicly confirmed, the ease of exploitation makes it a likely target for opportunistic attackers. The vulnerability was publicly disclosed on 2026-04-09.
Administrators of Online Shoe Store installations, particularly those running versions 1.0.0 through 1.0, are at significant risk. Shared hosting environments where multiple users share the same server instance are also vulnerable, as a compromised user could potentially exploit this vulnerability to affect other users on the same server.
• php / web:
grep -r "product_name = $_GET['product_name']" /var/www/html/admin/admin_running.php• generic web:
curl -I https://your-online-shoe-store.com/admin/admin_running.php?product_name=<script>alert('XSS')</script>disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5834 is to upgrade to a patched version of Online Shoe Store. Since a fixed version is not specified, thoroughly review the codebase, particularly the /admin/admin_running.php file, for improper input sanitization. Implement robust input validation and output encoding to prevent XSS attacks. Consider implementing a Web Application Firewall (WAF) with XSS protection rules to filter malicious requests. Regularly scan the application for vulnerabilities using automated tools.
Aktualisieren Sie das Plugin Online Shoe Store auf die neueste verfügbare Version, da diese Version die Cross-Site Scripting (XSS) Vulnerabilität in der Datei admin_running.php behebt. Überprüfen Sie die Plugin-Quelle auf Update-Anweisungen oder kontaktieren Sie den Entwickler für Support.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5834 is a cross-site scripting (XSS) vulnerability affecting Online Shoe Store versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the product_name parameter.
If you are running Online Shoe Store version 1.0.0 through 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as it becomes available.
The recommended fix is to upgrade to a patched version of Online Shoe Store. Contact the vendor for an updated release. Implement input validation and output encoding as an interim measure.
While there is no confirmed active exploitation, a public proof-of-concept exists, increasing the risk of exploitation.
Refer to the Online Shoe Store vendor's website or security advisory page for the official advisory regarding CVE-2026-5834.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.