CVE-2024-58316

HIGH

Online Shopping System Advanced 1.0 - SQL Injection via Payment Success Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58316. PoCs published by Furkan Gedik.

AI-analyzed exploit summary The writeup describes a SQL injection vulnerability in the 'Online Shopping System Advanced' application, specifically in the 'payment_success.php' file where the 'cm' parameter is unsanitized. It includes a SQLmap output demonstrating time-based blind SQLi exploitation.

Description

Online Shopping System Advanced 1.0 contains a SQL injection vulnerability in the payment_success.php script that allows attackers to inject malicious SQL through the unfiltered 'cm' parameter. Attackers can exploit the vulnerability by sending crafted SQL queries to retrieve sensitive database information by manipulating the user ID parameter.

Exploits (1)

exploitdb WRITEUP
by Furkan Gedik · textwebappsphp
https://www.exploit-db.com/exploits/51811

The writeup describes a SQL injection vulnerability in the 'Online Shopping System Advanced' application, specifically in the 'payment_success.php' file where the 'cm' parameter is unsanitized. It includes a SQLmap output demonstrating time-based blind SQLi exploitation.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Online Shopping System Advanced 1.0
No auth needed
Prerequisites: Access to the vulnerable endpoint · SQLmap or similar tool for exploitation
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.5
EPSS 0.0009
EPSS Percentile 26.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (2)
PuneethReddyHC/online-shopping-system-advanced 1.0
puneethreddyhc/online_shopping_system_advanced 1.0
Published Dec 12, 2025
Tracked Since Feb 18, 2026