CVE-2015-9226

HIGH

AlegroCart 1.2.8 - Authenticated SQL Injection via Download Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-9226. PoCs published by Curesec Research Team.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection vulnerability in AlegroCart 1.2.8, affecting both the admin area (via file upload) and the customer checkout process (via PayPal interaction). The PoC includes specific payloads and steps to trigger the injection.

Description

Multiple SQL injection vulnerabilities in AlegroCart 1.2.8 allow remote administrators to execute arbitrary SQL commands via the download parameter in the (1) check_download and possibly (2) check_filename function in upload/admin2/model/products/model_admin_download.php or remote authenticated users with a valid Paypal transaction token to execute arbitrary SQL commands via the ref parameter in the (3) orderUpdate function in upload/catalog/extension/payment/paypal.php.

Exploits (1)

exploitdb WORKING POC

by Curesec Research Team · textwebappsphp

https://www.exploit-db.com/exploits/38727

View Code ZIP pw:eip

This exploit demonstrates a blind SQL injection vulnerability in AlegroCart 1.2.8, affecting both the admin area (via file upload) and the customer checkout process (via PayPal interaction). The PoC includes specific payloads and steps to trigger the injection.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: AlegroCart 1.2.8

Auth required

Prerequisites: Admin credentials for the admin area exploit · Valid PayPal token for the customer exploit

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/134362/AlegroCart-1.2.8-SQL-Injection.html

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/38727/

Exploit x_refsource_misc

https://blog.curesec.com/article/blog/AlegroCart-128-SQL-Injection-104.html

Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2015/Nov/68

Scores

CVSS v3 7.2

EPSS 0.0198

EPSS Percentile 77.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

alegrocart/alegrocart 1.2.8

Published Sep 11, 2017

Tracked Since Feb 18, 2026