CVE-2014-4962

Shopizer < 1.1.5 - Unauthenticated Price Manipulation via Negative Product Quantity

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4962.

AI-analyzed exploit summary This is a detailed security advisory from SEC Consult Vulnerability Lab describing multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2, price manipulation, mass assignment, CSRF, and XSS. It provides technical details, proof-of-concept URLs, and HTTP request examples.

Description

Shopizer 1.1.5 and earlier allows remote attackers to reduce the total cost of their shopping cart via a negative number in the productQuantity parameter, which causes the price of the item to be subtracted from the total cost.

Exploits (1)

exploitdb WRITEUP
webappsphp
https://www.exploit-db.com/exploits/34062

This is a detailed security advisory from SEC Consult Vulnerability Lab describing multiple critical vulnerabilities in Shopizer, including Remote Command Execution via Struts2, price manipulation, mass assignment, CSRF, and XSS. It provides technical details, proof-of-concept URLs, and HTTP request examples.

Classification
Writeup 100%
Attack Type
Rce | Auth Bypass | Other
Complexity
Moderate
Reliability
Reliable
Target: Shopizer 1.1.5 and below
No auth needed
Prerequisites: Access to the Shopizer web interface · Struts2 vulnerability exposure
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/532726/100/0/threaded
Exploit mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Jul/38

Scores

EPSS 0.0471
EPSS Percentile 90.7%

Details

CWE
CWE-189
Status published
Products (1)
shopizer/shopizer < 1.1.5
Published Jul 15, 2014
Tracked Since Feb 18, 2026