SourceCodester SUP Online Shopping 1.0 SQL Injection Vulnerability

SourceCodester SUP Online Shopping 1.0 is vulnerable to SQL injection in the /admin/replymsg.php file. The vulnerability is triggered by manipulating the msgid argument, allowing remote attackers to inject and execute arbitrary SQL commands. This vulnerability, identified as CVE-2026-8131, has a CVSS v3.1 score of 7.3, indicating a high severity. Public exploits are available, increasing the risk of exploitation. Successful exploitation could allow attackers to read, modify, or delete sensitive data, potentially leading to full database compromise.

Attack Chain

1. Attacker identifies the vulnerable endpoint: /admin/replymsg.php.
2. Attacker crafts a malicious HTTP GET or POST request targeting /admin/replymsg.php.
3. The malicious request includes the msgid parameter with a crafted SQL injection payload.
4. The application fails to properly sanitize the msgid input.
5. The unsanitized input is directly incorporated into an SQL query.
6. The injected SQL code is executed against the database.
7. Attacker retrieves sensitive information or modifies database entries.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2026-8131) can lead to unauthorized access to sensitive data, modification of existing records, or complete database compromise. The impact includes potential data breaches, financial losses, and reputational damage for organizations using the vulnerable SourceCodester SUP Online Shopping 1.0. Given the availability of public exploits, the risk of widespread exploitation is elevated.

Recommendation

• Apply appropriate input validation and sanitization to the msgid parameter in /admin/replymsg.php to prevent SQL injection, mitigating CVE-2026-8131.
• Deploy the Sigma rule Detect SQL Injection Attempt via msgid Parameter to identify and block malicious requests targeting the vulnerable endpoint.
• Upgrade to a patched version of SourceCodester SUP Online Shopping that addresses the SQL injection vulnerability.