CVE-2020-35309

MEDIUM

Bakeshop Online Ordering System 1.0 - Stored Cross-Site Scripting in Admin Dashboard Categories

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35309. PoCs published by Parshwa Bhavsar.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Bakeshop Online Ordering System 1.0. The payload is injected into the 'Category' input field in the admin dashboard, triggering when the field is saved and rendered.

Description

Bakeshop Online Ordering System in PHP/MySQLi 1.0 is affected by cross-site scripting (XSS) which allows remote attackers to inject an arbitrary web script or HTML in admin dashboard - "Categories".

Exploits (1)

exploitdb WORKING POC

by Parshwa Bhavsar · textwebappsmultiple

https://www.exploit-db.com/exploits/49161

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in Bakeshop Online Ordering System 1.0. The payload is injected into the 'Category' input field in the admin dashboard, triggering when the field is saved and rendered.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Bakeshop Online Ordering System 1.0

Auth required

Prerequisites: Admin access to the Bakeshop Online Ordering System

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49161

Scores

CVSS v3 4.8

EPSS 0.0071

EPSS Percentile 48.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

bakeshop_online_ordering_system_project/bakeshop_online_ordering_system 1.0

Published Jan 26, 2021

Tracked Since Feb 18, 2026