CVE-2023-2246

MEDIUM

Online Pizza Ordering System 1.0 - Unrestricted File Upload via admin/ajax.php img Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-2246. PoCs published by URGAN.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated file upload vulnerability in Online Pizza Ordering System 1.0, allowing an attacker to upload a PHP webshell to the server. The script uploads the payload via a POST request to a vulnerable endpoint and then locates the uploaded file by parsing the response.

Description

A vulnerability has been found in SourceCodester Online Pizza Ordering System 1.0 and classified as critical. This vulnerability affects unknown code of the file admin/ajax.php?action=save_settings. The manipulation of the argument img leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-227236.

Exploits (1)

exploitdb WORKING POC VERIFIED

by URGAN · pythonwebappsphp

https://www.exploit-db.com/exploits/51431

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated file upload vulnerability in Online Pizza Ordering System 1.0, allowing an attacker to upload a PHP webshell to the server. The script uploads the payload via a POST request to a vulnerable endpoint and then locates the uploaded file by parsing the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Online Pizza Ordering System v1.0

No auth needed

Prerequisites: Target URL · PHP webshell file

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory vdb-entry technical-description

https://vuldb.com/?id.227236

Third Party Advisory signature permissions-required

https://vuldb.com/?ctiid.227236

Exploit, Third Party Advisory exploit

https://docs.google.com/document/d/1Bzt1UOXHJYyNFvTUsMO4zfbiDd_cKxuEygjAww2GcZQ/edit

Scores

CVSS v3 6.3

EPSS 0.0362

EPSS Percentile 88.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

online_pizza_ordering_system_project/online_pizza_ordering_system 1.0

Published Apr 23, 2023

Tracked Since Feb 18, 2026