CVE-2026-14654: Remote SQL Injection in SourceCodester Simple and Nice Shopping Cart Script
A remote, unauthenticated SQL injection vulnerability (CVE-2026-14654) in SourceCodester Simple and Nice Shopping Cart Script 1.0 allows attackers to manipulate the `user_id` argument via `/admin/girlsproductdeletequery.php`, leading to database compromise, data exfiltration, or unauthorized access, with an exploit publicly available.
A critical SQL injection vulnerability, identified as CVE-2026-14654, has been discovered in version 1.0 of the SourceCodester Simple and Nice Shopping Cart Script. This flaw specifically affects an unknown function within the /admin/girlsproductdeletequery.php file, where improper neutralization of special elements in the user_id argument leads to SQL injection. The vulnerability allows a remote and unauthenticated attacker to inject malicious SQL commands into database queries. The exploit for this vulnerability is publicly available, increasing the likelihood of its use in the wild. This poses a significant risk to organizations utilizing the affected software, enabling potential unauthorized access, data manipulation, or even remote code execution if the underlying database user has elevated privileges. The vulnerability was published on July 4, 2026.
Attack Chain
- An attacker identifies an internet-facing instance of SourceCodester Simple and Nice Shopping Cart Script 1.0.
- The attacker crafts a malicious HTTP GET or POST request to the
/admin/girlsproductdeletequery.phpendpoint. - The request includes specially constructed SQL injection payloads within the
user_idparameter, such as' OR 1=1--orUNION SELECT .... - The vulnerable application processes the
user_idargument without adequate sanitization, causing the injected SQL commands to be executed by the backend database. - Successful injection allows the attacker to bypass authentication, query sensitive database information (e.g., user credentials, product details), modify existing data, or delete records.
- Depending on the database system and the privileges of the database user account, the attacker may escalate the SQL injection to achieve remote code execution (RCE) on the underlying web server.
- If RCE is successful, the attacker can establish persistent access mechanisms, such as deploying web shells or other backdoors.
- The final objective often includes data exfiltration, website defacement, or broader compromise of the hosting infrastructure.
Impact
Successful exploitation of CVE-2026-14654 can lead to severe consequences for affected organizations. Attackers can gain unauthorized access to the application's database, allowing for the theft of sensitive customer and product information, modification of order details, or deletion of critical data. While specific victim counts or targeted sectors are not available, any organization using SourceCodester Simple and Nice Shopping Cart Script 1.0 is at risk. The publicly available exploit further exacerbates the threat, making it easier for malicious actors to compromise systems and disrupt business operations.
Recommendation
- Immediately patch SourceCodester Simple and Nice Shopping Cart Script 1.0 if an official update is available, or remove the affected component from internet exposure.
- Deploy the Sigma rule "Detect CVE-2026-14654 Exploitation - SQL Injection in Shopping Cart Script" to your SIEM for early detection of exploitation attempts.
- Monitor web server access logs for requests targeting
/admin/girlsproductdeletequery.phpthat contain unusual or suspicious characters and SQL keywords as described in the detection rule. - Review the references provided, particularly https://github.com/Yuesswor/cve/issues/4 and https://vuldb.com/vuln/376167, for potential workarounds or additional mitigation details.
Detection coverage 1
Detect CVE-2026-14654 Exploitation - SQL Injection in Shopping Cart Script
highDetects CVE-2026-14654 exploitation — attempts to inject SQL commands via the `user_id` parameter in `/admin/girlsproductdeletequery.php`.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
7
url
| Type | Value |
|---|---|
| url | https://nvd.nist.gov/vuln/detail/CVE-2026-14654 |
| url | https://github.com/Yuesswor/cve/issues/4 |
| url | https://vuldb.com/cve/CVE-2026-14654 |
| url | https://vuldb.com/submit/846702 |
| url | https://vuldb.com/vuln/376167 |
| url | https://vuldb.com/vuln/376167/cti |
| url | https://www.sourcecodester.com/ |