CVE-2014-5140

HIGH

Loaded Commerce 7 - Authenticated SQL Injection via Address Book Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-5140. PoCs published by Breaking.Technology.

AI-analyzed exploit summary This exploit demonstrates a SQL injection vulnerability in LoadedCommerce 7's query factory. By manipulating input fields in the address book, an attacker can extract admin credentials (username and password hash) from the database.

Description

The bindReplace function in the query factory in includes/classes/database.php in Loaded Commerce 7 does not properly handle : (colon) characters, which allows remote authenticated users to conduct SQL injection attacks via the First name and Last name fields in the address book.

Exploits (1)

exploitdb WORKING POC
by Breaking.Technology · textwebappsphp
https://www.exploit-db.com/exploits/34552

This exploit demonstrates a SQL injection vulnerability in LoadedCommerce 7's query factory. By manipulating input fields in the address book, an attacker can extract admin credentials (username and password hash) from the database.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: LoadedCommerce 7
Auth required
Prerequisites: Valid customer account · Access to the address book feature
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://www.exploit-db.com/exploits/34552
Third Party Advisory, VDB Entry x_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/95791
Patch, Third Party Advisory x_refsource_misc
https://github.com/loadedcommerce/loaded7/pull/520

Scores

CVSS v3 8.8
EPSS 0.0268
EPSS Percentile 83.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
loadedcommerce/loaded7
Published Jan 03, 2020
Tracked Since Feb 18, 2026