CVE-2021-47892
Unknown Unknown - Not Provided

Stored XSS in PEEL Shopping 9.3.0 Purchase Comments Allows Script Execution

Vulnerability report for CVE-2021-47892, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: VulnCheck

Description

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-07-06
AI Q&A
2026-01-23
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
peel shopping 9.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2021-47892 is a stored cross-site scripting (XSS) vulnerability in PEEL Shopping version 9.3.0. It exists in the 'Comments / Special Instructions' parameter on the purchase page, where attackers can inject malicious JavaScript code. This code is stored on the server and executed whenever the affected page is refreshed, allowing client-side script execution. [1, 2]

Impact Analysis

This vulnerability can allow attackers to execute malicious JavaScript in the context of the affected website. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the user. Since the malicious script executes when the page is refreshed, it can repeatedly affect users visiting the page. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to inject a JavaScript payload into the 'Comments / Special Instructions' field on the purchase page located at `/achat/achat_maintenant.php`. For example, you can submit a payload with an event handler such as `onload` or `onclick` that triggers an alert box. After submitting, refresh the page to see if the JavaScript executes, confirming the presence of the stored XSS vulnerability. Specific commands depend on your testing environment, but a common approach is to use curl or a browser-based tool to POST data to the purchase page with the malicious payload in the comments field and then check the page response for script execution. [1]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs on the 'Comments / Special Instructions' field to prevent injection of malicious scripts. Implement proper output encoding to neutralize any injected scripts before rendering them on the page. Additionally, consider applying web application firewall (WAF) rules to detect and block suspicious input patterns. If possible, update or patch PEEL Shopping to a version where this vulnerability is fixed. Until a patch is available, restrict user input or disable the vulnerable input field to prevent exploitation. [2]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart