CVE-2026-7225: SourceCodester Pizzafy SQL Injection Vulnerability

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-74cwe-89
CVE-2026-7225: SourceCodester Pizzafy SQL Injection Vulnerability

The National Vulnerability Database has disclosed CVE-2026-7225, a high-severity SQL injection vulnerability in SourceCodester Pizzafy Ecommerce System 1.0. The flaw resides in the delete_menu function within /admin/ajax.php?action=delete_menu, allowing remote attackers to manipulate the ID argument and execute arbitrary SQL queries.

This is a classic SQL injection, made worse by its remote exploitability and the public availability of exploit code. Attackers don’t need complex tools or deep system knowledge; a simple HTTP request can trigger this. For any organization running this specific e-commerce system, this vulnerability is a direct path to database compromise, data exfiltration, or even full system takeover if the database user has elevated privileges.

Defenders need to recognize the immediate threat. Public exploits mean script kiddies and more sophisticated actors alike can weaponize this instantly. The attacker’s calculus is straightforward: find vulnerable instances and exploit them before patches are applied. The lack of specified affected products beyond the core system means anyone using SourceCodester Pizzafy Ecommerce System 1.0 is a potential target.

What This Means For You

  • If your organization uses SourceCodester Pizzafy Ecommerce System 1.0, you are directly exposed to CVE-2026-7225. Immediately take the system offline, audit for compromise, and apply any vendor-provided patches or workarounds. Prioritize this; public exploits are a ticking time bomb.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-7225: SourceCodester Pizzafy SQL Injection via delete_menu

Sigma YAML — free preview 
title: CVE-2026-7225: SourceCodester Pizzafy SQL Injection via delete_menu
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-7225 in SourceCodester Pizzafy Ecommerce System 1.0. This rule specifically looks for requests targeting the `ajax.php` file with the `action=delete_menu` parameter, and includes common SQL injection patterns within the `ID` query parameter, indicating an attempt to manipulate the ID to perform an SQL injection.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7225/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/admin/ajax.php?action=delete_menu'
      cs-uri-query|contains:
          - 'ID='
      cs-uri-query|contains:
          - ' OR '
      cs-uri-query|contains:
          - ' = '
      cs-uri-query|contains:
          - ' UNION '
      cs-uri-query|contains:
          - ' SELECT '
      cs-uri-query|contains:
          - ' FROM '
      cs-uri-query|contains:
          - ' --'
      cs-uri-query|contains:
          - ' /*'
      cs-uri-query|contains:
          - ' #'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7225 SQLi SourceCodester Pizzafy Ecommerce System 1.0
CVE-2026-7225 SQLi Vulnerable function: delete_menu
CVE-2026-7225 SQLi Vulnerable file: /admin/ajax.php?action=delete_menu
CVE-2026-7225 SQLi Vulnerable parameter: ID

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 09:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7234: Path Traversal Flaw in BrowserOperator Core Exposes Users

CVE-2026-7234 — A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation...

vulnerabilityCVEhigh-severitypath-traversalcwe-22
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7230 — SourceCodester Safety Anger Pad Vulnerability

CVE-2026-7230 — A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected element is an unknown function. The manipulation of the argument angerDisplay...

vulnerabilityCVEmedium-severitycwe-79cwe-94
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7229 — Code-Projects Coaching Management System SQL Injection

CVE-2026-7229 — A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma