CVE-2021-47928

HIGH

Opencart TMD Vendor System 3.x Blind SQL Injection via product route

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47928. PoCs published by Muhammad Zaki Sulistya.

AI-analyzed exploit summary This Python script demonstrates a blind SQL injection vulnerability in the TMD Vendor System for OpenCart 3.x. It automates the extraction of admin credentials and password reset tokens by leveraging time-based SQLi techniques.

Description

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table.

Exploits (1)

exploitdb WORKING POC

by Muhammad Zaki Sulistya · pythonwebappsphp

https://www.exploit-db.com/exploits/50493

View Code ZIP pw:eip

This Python script demonstrates a blind SQL injection vulnerability in the TMD Vendor System for OpenCart 3.x. It automates the extraction of admin credentials and password reset tokens by leveraging time-based SQLi techniques.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: TMD Vendor System 3.x for OpenCart

No auth needed

Prerequisites: target URL with vulnerable endpoint · network access to the target

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 10, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-50493

https://www.exploit-db.com/exploits/50493

Product product

Official Product Homepage

https://www.opencartextensions.in/

Product product

Product Reference

https://www.opencartextensions.in/opencart-multi-vendor-multi-seller-marketplace

Third Party Advisory third-party-advisory

VulnCheck Advisory: Opencart TMD Vendor System 3.x Blind SQL Injection via product route

https://www.vulncheck.com/advisories/opencart-tmd-vendor-system-3-x-blind-sql-injection-via-product-route

Scores

CVSS v3 8.2

EPSS 0.0028

EPSS Percentile 19.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

opencartextensions/Extension TMD Vendor System 3.0

Published May 10, 2026

Tracked Since May 10, 2026