CVE-2000-0136

Cart32 - Unauthenticated Purchase Information Modification via Hidden Form Fields

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2000-0136. PoCs published by CDI.

AI-analyzed exploit summary This exploit demonstrates a hidden form field manipulation vulnerability in multiple shopping cart applications, allowing an attacker to modify product parameters such as price and quantity. It bypasses basic security checks by spoofing the referer and sending tainted data via POST requests.

Description

The Cart32 shopping cart application allows remote users to modify sensitive purchase information via hidden form fields.

Exploits (1)

exploitdb WORKING POC VERIFIED

by CDI · phpremotecgi

https://www.exploit-db.com/exploits/19951

View Code ZIP pw:eip

This exploit demonstrates a hidden form field manipulation vulnerability in multiple shopping cart applications, allowing an attacker to modify product parameters such as price and quantity. It bypasses basic security checks by spoofing the referer and sending tainted data via POST requests.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: E-Commerce Exchange QuickCommerce 2.5/3.0, McMurtrey/Whitaker & Associates Cart32 2.5 a/3.0, Shop Express 1.0, StoreCreator 3.0

No auth needed

Prerequisites: Access to the target shopping cart application · Ability to send HTTP POST requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory, VDB Entry x_refsource_misc

https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-2000-0136

Scores

EPSS 0.0683

EPSS Percentile 93.2%

Details

Status published

Products (1)

mcmurtrey_whitaker_and_associates/cart32

Published Feb 01, 2000

Tracked Since Feb 18, 2026