CVE-2017-20132

MEDIUM

Itech Multi Vendor Script 6.49 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-20132. PoCs published by Kaan KAMIS.

AI-analyzed exploit summary This exploit demonstrates SQL injection vulnerabilities in Itech Multi Vendor Script 6.49, including boolean-based blind, time-based blind, and UNION query techniques. The payloads target the 'pl' parameter in product-list.php to extract arbitrary database data.

Description

A vulnerability was found in Itech Multi Vendor Script 6.49 and classified as critical. This issue affects some unknown processing of the file /multi-vendor-shopping-script/product-list.php. The manipulation of the argument pl leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Exploits (1)

exploitdb WORKING POC
by Kaan KAMIS · textwebappsphp
https://www.exploit-db.com/exploits/41193

This exploit demonstrates SQL injection vulnerabilities in Itech Multi Vendor Script 6.49, including boolean-based blind, time-based blind, and UNION query techniques. The payloads target the 'pl' parameter in product-list.php to extract arbitrary database data.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Itech Multi Vendor Script 6.49
No auth needed
Prerequisites: Access to the vulnerable endpoint · Basic knowledge of SQL injection techniques
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://vuldb.com/?id.96287
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/41193/

Scores

CVSS v3 6.3
EPSS 0.0069
EPSS Percentile 47.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
itechscripts/multi_vendor_script 6.49
Published Jul 16, 2022
Tracked Since Feb 18, 2026