A vulnerability was detected in AojiaoZero Antaris 1.0. This affects the function _rewardPurchase of the file /ipn.php of the component PayPal IPN Payment Handler. The manipulation of the argument item_number results in sql injection. The attack may be performed from remote. The vendor was contacted early about this disclosure but did not respond in any way.
Security readout for executives and security teams
Plain-English summary
CVE-2026-15502 is a SQL injection issue in AojiaoZero Antaris 1.0’s PayPal IPN payment handler. A remote authenticated attacker could manipulate payment-related input and potentially read or alter database data. Business urgency is moderate, especially where Antaris handles transactions or customer records.
Executive priority
Treat as a medium-priority application risk. Prioritize environments processing payments or sensitive customer data, because database compromise could affect transaction integrity and confidentiality. Lack of vendor response increases remediation uncertainty.
Technical view
The reported flaw affects _rewardPurchase in /ipn.php, where the item_number argument is not safely handled, leading to SQL injection. VulDB lists network access, low attack complexity, and required authentication. CVSS v2 score is 6.5. The vendor reportedly did not respond to disclosure.
Likely exposure
Exposure is likely limited to organizations running AojiaoZero Antaris 1.0 with the PayPal IPN payment handler reachable by authenticated users or payment workflow actors.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. VulDB indicates remote exploitation is possible and permissions are required. Public details identify the affected file, function, and parameter, but no vendor-confirmed fix is listed.
Researcher notes
Evidence is primarily from VulDB and CVE records. The advisory names Antaris 1.0, /ipn.php, _rewardPurchase, and item_number. Authentication is required per CVSS. No patch, workaround, or active exploitation confirmation is provided in the supplied sources.
Mitigation direction
Identify any AojiaoZero Antaris 1.0 deployments and owners.
Restrict access to /ipn.php to required payment infrastructure where feasible.
Monitor payment handler and database logs for unusual item_number activity.
Check vendor or project channels for updated guidance or patched releases.
Consider disabling affected PayPal IPN functionality if business impact allows.
Validation and detection
Confirm whether Antaris 1.0 is deployed in production or staging.
Verify whether /ipn.php is externally reachable.
Review code handling of item_number in _rewardPurchase.
Check logs for abnormal payment notification requests.
Document compensating controls around payment callback endpoints.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-74: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Injection into data stores can inform collection, data access, and exfiltration detection reviews. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
4CVSS vectors
6Timeline events
0ADP providers
5Source links
CVSS vector scores
4 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-74 · source CWE mapping
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.