Cross-site scripting vulnerability in products1h.php in ESMI PayPal Storefront allows remote attackers to inject arbitrary web script or HTML via the id parameter.

Multiple SQL injection vulnerabilities in ESMI PayPal Storefront allow remote attackers to execute arbitrary SQL commands via the (1) idpages parameter to pages.php or the (2) id2 parameter to products1.php.