Primary

Context

OpenCart Password Change Cross-Site Request Forgery Vulnerability

Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in OpenCart version 3.0.3.7. This vulnerability allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Exploitation involves tricking authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters, effectively hijacking their accounts.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, leading to account hijacking.

Reproduction

To reproduce this vulnerability, an authenticated user must be tricked into submitting a form that includes a new password and its confirmation. This can be done by sending a crafted request that exploits the lack of CSRF protection on the password change endpoint.

Added: May 10, 2026, 1:29 PM

Updated: May 10, 2026, 1:29 PM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

7.3

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.6

exploitability

7.3

remediation

0.0

relevance

7.9

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenCart Password Change Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

OpenCart

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating