CVE-2008-0739

CandyPress < 4.1 - SQL Injection via FedExAccount Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-0739. PoCs published by BugReport.IR.

AI-analyzed exploit summary The exploit demonstrates SQL injection, XSS, and path disclosure vulnerabilities in CandyPress eCommerce suite version 4.1.1.26. It includes functional PoC URLs to extract sensitive data such as admin credentials, payment details, and configuration settings.

Description

SQL injection vulnerability in admin/SA_shipFedExMeter.asp in CandyPress (CP) 4.1.1.26, and earlier 4.x and 3.x versions, allows remote attackers to execute arbitrary SQL commands via the FedExAccount parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by BugReport.IR · textwebappsasp
https://www.exploit-db.com/exploits/4988

The exploit demonstrates SQL injection, XSS, and path disclosure vulnerabilities in CandyPress eCommerce suite version 4.1.1.26. It includes functional PoC URLs to extract sensitive data such as admin credentials, payment details, and configuration settings.

Classification
Working Poc 95%
Attack Type
Sqli | Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: CandyPress eCommerce suite 4.1.1.26
No auth needed
Prerequisites: Network access to the target CandyPress installation
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28662
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/0314

Scores

EPSS 0.0096
EPSS Percentile 56.9%

Details

CWE
CWE-89
Status published
Products (2)
shoppingtree/candypress_store 4.1.1.26
shoppingtree/candypress_store < 4.1
Published Feb 13, 2008
Tracked Since Feb 18, 2026