CVE-2021-47946

MEDIUM

OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47946. PoCs published by Mahendra Purbia.

AI-analyzed exploit summary This is a technical writeup describing a CSRF vulnerability in OpenCart 3.0.3.6 that allows account takeover via the /account/edit endpoint. It provides detailed steps to reproduce the attack but does not include functional exploit code.

Description

OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.

Exploits (1)

exploitdb WRITEUP

by Mahendra Purbia · textwebappsphp

https://www.exploit-db.com/exploits/49407

View Code ZIP pw:eip

This is a technical writeup describing a CSRF vulnerability in OpenCart 3.0.3.6 that allows account takeover via the /account/edit endpoint. It provides detailed steps to reproduce the attack but does not include functional exploit code.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: OpenCart CMS 3.0.3.6 and below

Auth required

Prerequisites: Victim account · Attacker account · Intercepted request for CSRF PoC creation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 10, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-49407

https://www.exploit-db.com/exploits/49407

Product product

Official Product Homepage

https://www.opencart.com

Product product

Product Reference

https://www.opencart.com/index.php?route=cms/download

Third Party Advisory third-party-advisory

VulnCheck Advisory: OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery

https://www.vulncheck.com/advisories/opencart-account-takeover-via-cross-site-request-forgery

Scores

CVSS v3 5.3

EPSS 0.0015

EPSS Percentile 4.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-352

Status published

Products (1)

Opencart/OpenCart 3.0.3.6

Published May 10, 2026

Tracked Since May 10, 2026