CVE-2021-47897
Published: 23 January 2026
Summary
CVE-2021-47897 is a medium-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2021-47897 is a stored cross-site scripting vulnerability (CWE-79) in PEEL Shopping version 9.3.0. The issue affects the address parameter in the change_params.php script, allowing attackers to inject malicious JavaScript payloads. These payloads execute when users interact with the address text box, enabling client-side script execution. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers with network access can exploit this vulnerability due to its lack of privilege requirements (PR:N) and low attack complexity (AC:L). Although the CVSS vector indicates no user interaction is needed (UI:N), execution occurs upon user interaction with the affected text box. Exploitation results in limited impacts to confidentiality and integrity (C:L/I:L) within a changed scope (S:C), such as unauthorized script execution in victims' browsers.
Advisories from VulnCheck (https://www.vulncheck.com/advisories/peel-shopping-address-stored-cross-site-scripting) and Exploit-DB (https://www.exploit-db.com/exploits/49553) detail the vulnerability, including a proof-of-concept exploit. The archived PEEL Shopping site (https://web.archive.org/web/20210302174407/https://www.peel.fr/) provides software context, but no specific patch or mitigation details are outlined in the references.
A proof-of-concept exploit is publicly available on Exploit-DB, highlighting potential real-world exploitation risk for unpatched PEEL Shopping 9.3.0 deployments.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4290
Vulnerability details
PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public web app directly enables script injection/execution (T1059.007) via exploitation of exposed application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all inputs (including the address parameter) to reject or neutralize script content before storage.
Requires filtering of information outputs so that stored malicious JavaScript in the address field is not rendered/executed in user browsers.
Enforces information flow rules that can block untrusted script content from being accepted or propagated through the change_params.php data path.