CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2018-25114 – osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution
https://notcve.org/view.php?id=CVE-2018-25114
23 Jul 2025 — A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side ... • https://www.exploit-db.com/exploits/44374 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-40674 – Reflected Cross-Site Scripting (XSS) in osCommerce
https://notcve.org/view.php?id=CVE-2025-40674
17 Jun 2025 — Reflected Cross-Site Scripting (XSS) in osCommerce v4. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the name of any parameter in /watch/en/about-us. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. • https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-oscommerce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-25119 – WordPress Woocommerce osCommerce Sync plugin <= 2.0.20 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-25119
02 Feb 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Woocommerce osCommerce Sync allows Reflected XSS. This issue affects Woocommerce osCommerce Sync: from n/a through 2.0.20. The Woocommerce osCommerce Sync plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.20 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we... • https://patchstack.com/database/wordpress/plugin/woo-oscommerce-sync/vulnerability/wordpress-easy-wp-tiles-plugin-1-cross-site-scripting-xss-vulnerability-4?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.0EPSS: 10%CPEs: 1EXPL: 1CVE-2024-4348 – osCommerce all-products cross site scripting
https://notcve.org/view.php?id=CVE-2024-4348
30 Apr 2024 — A vulnerability, which was classified as problematic, was found in osCommerce 4. Affected is an unknown function of the file /catalog/all-products. The manipulation of the argument cat leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://packetstorm.news/files/id/178375 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22724
https://notcve.org/view.php?id=CVE-2024-22724
21 Mar 2024 — An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature. Se descubrió un problema en osCommerce v4 que permite a atacantes locales eludir las restricciones de carga de archivos y ejecutar código arbitrario a través de la función de carga de fotos de perfil del administrador. • https://github.com/osCommerce/osCommerce-V4/issues/62 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 1%CPEs: 1EXPL: 1CVE-2024-26521
https://notcve.org/view.php?id=CVE-2024-26521
12 Mar 2024 — HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted payload to the english.php component. Vulnerabilidad de inyección HTML en CE Phoenix v1.0.8.20 y anteriores permite a un atacante remoto ejecutar código arbitrario, escalar privilegios y obtener información confidencial a través de un payload manipulado para el componente english.php. • https://github.com/hackervegas001/CVE-2024-26521 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 6%CPEs: 2EXPL: 0CVE-2024-25415
https://notcve.org/view.php?id=CVE-2024-25415
16 Feb 2024 — A remote code execution (RCE) vulnerability in /admin/define_language.php of CE Phoenix v1.0.8.20 allows attackers to execute arbitrary PHP code via injecting a crafted payload into the file english.php. Una vulnerabilidad de ejecución remota de código (RCE) en /admin/define_language.php de CE Phoenix v1.0.8.20 permite a atacantes ejecutar código PHP de su elección inyectando un payload manipulado en el archivo english.php. • https://github.com/capture0x/Phoenix • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6609 – osCommerce all-products cross site scripting
https://notcve.org/view.php?id=CVE-2023-6609
08 Dec 2023 — A vulnerability was found in osCommerce 4. It has been classified as problematic. This affects an unknown part of the file /b2b-supermarket/catalog/all-products. The manipulation of the argument keywords with the input %27%22%3E%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E leads to cross site scripting. It is possible to initiate the attack remotely. • https://vuldb.com/?ctiid.247245 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-6579 – osCommerce POST Parameter shopping-cart sql injection
https://notcve.org/view.php?id=CVE-2023-6579
07 Dec 2023 — A vulnerability, which was classified as critical, has been found in osCommerce 4. Affected by this issue is some unknown functionality of the file /b2b-supermarket/shopping-cart of the component POST Parameter Handler. The manipulation of the argument estimate[country_id] leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-247160. • https://packetstorm.news/files/id/176124 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-6296 – osCommerce Instant Message compare cross site scripting
https://notcve.org/view.php?id=CVE-2023-6296
26 Nov 2023 — A vulnerability was found in osCommerce 4. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /catalog/compare of the component Instant Message Handler. The manipulation of the argument compare with the input 40dz4iq"><script>alert(1)</script>zohkx leads to cross site scripting. The attack may be launched remotely. • https://packetstorm.news/files/id/175925 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •