Home

Description

Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules.

PUBLISHED Reserved 2026-01-27 | Published 2026-01-30 | Updated 2026-01-30 | Assigner VulnCheck




MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Any version
affected

Credits

gurbanli finder

References

www.exploit-db.com/exploits/48467 (ExploitDB-48467) exploit

www.sellacious.com (Official Sellacious eCommerce Homepage) product

www.sellacious.com/free-open-source-ecommerce-software (Sellacious Product Details) product

www.vulnerability-lab.com/get_content.php?id=2226 (Vulnerability Lab Advisory) third-party-advisory

www.vulncheck.com/...ommerce-persistent-cross-site-scripting (VulnCheck Advisory: Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting) third-party-advisory

cve.org (CVE-2020-37003)

nvd.nist.gov (CVE-2020-37003)

Download JSON