CVE-2021-27190

MEDIUM

PEEL SHOPPING 9.3.0 and 9.4.0 - Stored Cross-Site Scripting via Polyglot Payload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-27190. PoCs published by anmolksachan.

AI-analyzed exploit summary This repository documents a Stored XSS vulnerability (CVE-2021-27190) in PEEL Shopping 9.3.0, where the 'Address' parameter in 'change_params.php' is vulnerable to JavaScript injection. The payload provided is a crafted XSS vector that executes when the address is edited.

Description

A Stored Cross Site Scripting(XSS) Vulnerability was discovered in PEEL SHOPPING 9.3.0 and 9.4.0, which are publicly available. The user supplied input containing polyglot payload is echoed back in javascript code in HTML response. This allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc.

Exploits (1)

nomisec WRITEUP 3 stars
by anmolksachan · poc
https://github.com/anmolksachan/CVE-2021-27190-PEEL-Shopping-cart-9.3.0-Stored-XSS

This repository documents a Stored XSS vulnerability (CVE-2021-27190) in PEEL Shopping 9.3.0, where the 'Address' parameter in 'change_params.php' is vulnerable to JavaScript injection. The payload provided is a crafted XSS vector that executes when the address is edited.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PEEL Shopping 9.3.0
Auth required
Prerequisites: Access to the vulnerable application · User interaction to edit the address field
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 5.4
EPSS 0.0162
EPSS Percentile 73.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (2)
peel/peel_shopping 9.3.0
peel/peel_shopping 9.4.0
Published Feb 12, 2021
Tracked Since Feb 18, 2026