Cyber Resilience

CVE-2021-47897

MediumPublic PoC

Published: 23 January 2026

Published
23 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 22.0th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47897 is a medium-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2021-47897 is a stored cross-site scripting vulnerability (CWE-79) in PEEL Shopping version 9.3.0. The issue affects the address parameter in the change_params.php script, allowing attackers to inject malicious JavaScript payloads. These payloads execute when users interact with the address text box, enabling client-side script execution. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers with network access can exploit this vulnerability due to its lack of privilege requirements (PR:N) and low attack complexity (AC:L). Although the CVSS vector indicates no user interaction is needed (UI:N), execution occurs upon user interaction with the affected text box. Exploitation results in limited impacts to confidentiality and integrity (C:L/I:L) within a changed scope (S:C), such as unauthorized script execution in victims' browsers.

Advisories from VulnCheck (https://www.vulncheck.com/advisories/peel-shopping-address-stored-cross-site-scripting) and Exploit-DB (https://www.exploit-db.com/exploits/49553) detail the vulnerability, including a proof-of-concept exploit. The archived PEEL Shopping site (https://web.archive.org/web/20210302174407/https://www.peel.fr/) provides software context, but no specific patch or mitigation details are outlined in the references.

A proof-of-concept exploit is publicly available on Exploit-DB, highlighting potential real-world exploitation risk for unpatched PEEL Shopping 9.3.0 deployments.

EU & UK References

Vulnerability details

PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public web app directly enables script injection/execution (T1059.007) via exploitation of exposed application (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all inputs (including the address parameter) to reject or neutralize script content before storage.

prevent

Requires filtering of information outputs so that stored malicious JavaScript in the address field is not rendered/executed in user browsers.

prevent

Enforces information flow rules that can block untrusted script content from being accepted or propagated through the change_params.php data path.

References