CVE-2020-37003

MEDIUM

Sellacious eCommerce 4.6 - XSS

Title source: llm

Description

Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules.

Exploits (1)

exploitdb WORKING POC

by Vulnerability-Lab · textwebappsphp

https://www.exploit-db.com/exploits/48467

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48467

[Various Sources] https://www.sellacious.com

[Various Sources] https://www.sellacious.com/free-open-source-ecommerce-software

[Various Sources] https://www.vulnerability-lab.com/get_content.php?id=2226

[Third Party Advisory] https://www.vulncheck.com/advisories/sellacious-ecommerce-persistent-cross-site-scripting

Scores

CVSS v3 6.4

EPSS 0.0005

EPSS Percentile 14.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Jan 30, 2026

Tracked Since Feb 18, 2026