CVE-2021-47892

HIGH

PEEL Shopping 9.3.0 - Stored Cross-Site Scripting via Comments / Special Instructions Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47892. PoCs published by Anmol K Sachan.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in PEEL Shopping 9.3.0 via the 'Comments/Special Instructions' field. The payload bypasses basic input filters using obfuscation techniques to execute arbitrary JavaScript.

Description

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution.

Exploits (1)

exploitdb WORKING POC

by Anmol K Sachan · textwebappsphp

https://www.exploit-db.com/exploits/49574

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in PEEL Shopping 9.3.0 via the 'Comments/Special Instructions' field. The payload bypasses basic input filters using obfuscation techniques to execute arbitrary JavaScript.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: PEEL Shopping 9.3.0

Auth required

Prerequisites: Access to the vulnerable 'achat_maintenant.php' page · Ability to submit a malicious payload in the 'Comments/Special Instructions' field

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/49574

Various Sources product

https://web.archive.org/web/20210302174407/https://www.peel.fr/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/peel-shopping-commentsspecial-instructions-stored-cross-site-scripting

Scores

CVSS v3 7.2

EPSS 0.0022

EPSS Percentile 12.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Published Jan 23, 2026

Tracked Since Feb 18, 2026