cpcommerce is a FOSS php-based e-commerce (shopping cart) web application.
Gravity: The attacker can potentially fetch the admin's cookie or do a vast amount of other things.
This is only one aspect of this cross-site scripting vulnerability. I still have yet to test other parts of my site which have user-inputted information such as product reviews and order forms.
I tested this with 1.1.0 (the latest version) - the OS is debian etch running apache2, php5 and mysql5. I suspect that earlier versions of cpcommerce are most likely also vulnerable.