OpenCart Cross Site Scripting

OpenCart version suffers from a persistent cross site scripting vulnerability.

MD5 | a227cafc12e096a8d0cd56342e5b5341

# Exploit Title: OpenCart - Stored Cross Site Scripting (Authenticated)
# Date: 2020-06-01
# Exploit Author: Kailash Bohara
# Vendor Homepage:
# Software Link:
# Version: OpenCart <
# CVE : CVE-2020-10596

1. Go to and login with credentials.

2. Then navigate to System>Users>Users and click on Action button on top right corner.

3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image.

4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.

Related Posts