CVE-2019-15081
MEDIUMOpenCart 3.0.0.0-3.0.3.1 - Authenticated Stored Cross-Site Scripting in Source/HTML Editor
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2019-15081. PoCs published by Nipun Somani.
AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Opencart 3.x.x by injecting malicious JavaScript into the admin panel's description fields, which executes when viewed on the public website.
Description
OpenCart 3.x, when the attacker has login access to the admin panel, allows stored XSS within the Source/HTML editing feature of the Categories, Product, and Information pages.
Exploits (1)
exploitdb
WORKING POC
by Nipun Somani · textwebappsphp
https://www.exploit-db.com/exploits/47331
This exploit demonstrates a stored XSS vulnerability in Opencart 3.x.x by injecting malicious JavaScript into the admin panel's description fields, which executes when viewed on the public website.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Opencart 3.x.x
Auth required
Prerequisites:
Admin access to the Opencart panel
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nipunsomani/Opencart-3.x.x-Authenticated-Stored-XSS/blob/master/README.md
Broken Link x_refsource_misc
http://packetstormsecurity.com/files/154286/Opencart-3.x-Cross-Site-Scripting.html
Scores
CVSS v3
4.8
EPSS
0.0196
EPSS Percentile
77.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
opencart/opencart
3.0.0.0 - 3.0.3.2
Published
Aug 15, 2019
Tracked Since
Feb 18, 2026