CVE-2020-28838

LOW

OpenCart 3.0.3.6 - Cross-Site Request Forgery in Cart Option

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-28838. PoCs published by Mahendra Purbia.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in OpenCart 3.0.3.6, allowing an attacker to add arbitrary products to a victim's cart by tricking them into submitting a crafted HTML form. The PoC includes a simple HTML form that submits a POST request to the target endpoint with predefined product details.

Description

Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.

Exploits (1)

exploitdb WORKING POC

by Mahendra Purbia · textwebappsphp

https://www.exploit-db.com/exploits/49228

View Code ZIP pw:eip

This exploit demonstrates a Cross-Site Request Forgery (CSRF) vulnerability in OpenCart 3.0.3.6, allowing an attacker to add arbitrary products to a victim's cart by tricking them into submitting a crafted HTML form. The PoC includes a simple HTML form that submits a POST request to the target endpoint with predefined product details.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: OpenCart 3.0.3.6

No auth needed

Prerequisites: Victim must visit the crafted HTML page · Attacker must know the target endpoint URL

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product x_refsource_misc

https://www.opencart.com/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49228

Scores

CVSS v3 3.5

EPSS 0.0010

EPSS Percentile 26.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-352

Status published

Products (2)

opencart/opencart 3.0.3.6

opencart/opencart Packagist

Published Dec 11, 2020

Tracked Since Feb 18, 2026