CVE-2021-47892
Unknown Unknown - Not Provided
Stored XSS in PEEL Shopping 9.3.0 Purchase Comments Allows Script Execution

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: VulnCheck

Description
PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the 'Comments / Special Instructions' parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47892
EUVD
EUVD-2026-4284
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
peel shopping 9.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47892 is a stored cross-site scripting (XSS) vulnerability in PEEL Shopping version 9.3.0. It exists in the 'Comments / Special Instructions' parameter on the purchase page, where attackers can inject malicious JavaScript code. This code is stored on the server and executed whenever the affected page is refreshed, allowing client-side script execution. [1, 2]

Impact Analysis

This vulnerability can allow attackers to execute malicious JavaScript in the context of the affected website. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the user. Since the malicious script executes when the page is refreshed, it can repeatedly affect users visiting the page. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to inject a JavaScript payload into the 'Comments / Special Instructions' field on the purchase page located at `/achat/achat_maintenant.php`. For example, you can submit a payload with an event handler such as `onload` or `onclick` that triggers an alert box. After submitting, refresh the page to see if the JavaScript executes, confirming the presence of the stored XSS vulnerability. Specific commands depend on your testing environment, but a common approach is to use curl or a browser-based tool to POST data to the purchase page with the malicious payload in the comments field and then check the page response for script execution. [1]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs on the 'Comments / Special Instructions' field to prevent injection of malicious scripts. Implement proper output encoding to neutralize any injected scripts before rendering them on the page. Additionally, consider applying web application firewall (WAF) rules to detect and block suspicious input patterns. If possible, update or patch PEEL Shopping to a version where this vulnerability is fixed. Until a patch is available, restrict user input or disable the vulnerable input field to prevent exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart