Plattform
php
Komponente
code-projects-online-shoe-store
Behoben in
1.0.1
CVE-2026-5835 describes a cross-site scripting (XSS) vulnerability discovered in code-projects Online Shoe Store. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user data and session integrity. The vulnerability affects versions 1.0.0 through 1.0 and can be exploited remotely through manipulation of the productname parameter within the /admin/adminfootball.php file. A patch is expected to resolve this issue.
Successful exploitation of CVE-2026-5835 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft, and defacement of the online store. An attacker could potentially redirect users to phishing sites, inject malware, or steal sensitive information such as customer payment details. The public availability of an exploit significantly increases the risk of widespread exploitation, particularly if the application is widely deployed without proper security measures.
The exploit for CVE-2026-5835 has been publicly disclosed, indicating a higher probability of exploitation. While the CVSS score is LOW (2.4), the availability of a working exploit means attackers can readily leverage this vulnerability. No KEV listing or active campaigns have been reported as of the publication date, but the public exploit warrants immediate attention.
Administrators of code-projects Online Shoe Store installations are the primary group at risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a successful attack could potentially compromise other websites hosted on the same server. Users with administrative privileges are at the highest risk.
• php / web:
curl -s -X POST "http://your-target-domain.com/admin/admin_football.php" -d "product_name=<script>alert('XSS')</script>" | grep "<script>alert('XSS')</script>"• generic web:
curl -I http://your-target-domain.com/admin/admin_football.php?product_name=<script>alert('XSS')</script>• generic web: Examine access logs for requests to /admin/adminfootball.php containing suspicious characters or patterns in the productname parameter (e.g., <script>, <img src=x onerror=alert('XSS')>, etc.).
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-5835 is to upgrade to a patched version of code-projects Online Shoe Store as soon as it becomes available. Until a patch is applied, consider implementing input validation and sanitization on the productname parameter within the /admin/adminfootball.php file to prevent malicious script injection. Web application firewalls (WAFs) configured to detect and block XSS attacks can also provide a layer of protection. Regularly review and update security policies to ensure they address XSS vulnerabilities.
Aktualisieren Sie das Plugin 'code-projects Online Shoe Store' auf die neueste verfügbare Version, um die XSS-Schwachstelle in der Datei admin_football.php zu beheben. Überprüfen Sie die offiziellen Plugin-Quellen auf Update-Anweisungen und Sicherheitspatches. Implementieren Sie eine angemessene Validierung und Maskierung für die Benutzereingabe 'product_name', um zukünftige XSS-Angriffe zu verhindern.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5835 is a cross-site scripting (XSS) vulnerability in code-projects Online Shoe Store versions 1.0.0–1.0, allowing attackers to inject malicious scripts via the productname parameter in /admin/adminfootball.php.
You are affected if you are running code-projects Online Shoe Store version 1.0.0–1.0 and have not yet applied a patch or implemented mitigating controls.
Upgrade to a patched version of code-projects Online Shoe Store as soon as it is available. Until then, implement a WAF rule and strict input sanitization.
A public proof-of-concept exists, suggesting a potential for active exploitation. Monitor your systems for suspicious activity.
Refer to the code-projects website or security mailing list for the official advisory regarding CVE-2026-5835.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.