VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 10, 2026· Updated May 12, 2026

CVE-2021-47946

CVE-2021-47946

Description

OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

OpenCart 3.0.3.6 has a CSRF vulnerability in /account/edit that lets attackers change victim email via a crafted page and then take over the account using password reset.

Vulnerability

OpenCart 3.0.3.6 is vulnerable to a cross-site request forgery (CSRF) attack targeting the /account/edit endpoint [1][2]. The vulnerability stems from a lack of anti-CSRF tokens or other validation mechanisms on the account modification form, allowing an unauthenticated attacker to forge requests that change a victim's account details, including their email address and name [1].

###Exploitation requires tricking a logged-in victim into visiting a malicious HTML page crafted by the attacker. The attacker must first generate a valid CSRF payload by intercepting a legitimate request to /account/edit (e.g., from their own account) and editing the email to an attacker-controlled address not yet registered [1]. When the victim opens the malicious page, the forged request is sent with the victim's session, silently updating their account email [1][2]. The attack does not require authentication from the attacker's side at the time of exploitation, only that the victim is authenticated [2].

###The impact is full account takeover. After the victim's email is changed to an attacker-controlled address, the attacker can use the "forgot password" function to receive a password reset link via email, gaining access to the victim's account [1]. This compromises all account data and any associated functionality, such as order history or stored payment details [2]. 1][2].

###The vulnerability affects OpenCart versions 3.0.3.6 and below [1][2]. As of the publication date, the vendor has not released a patch for this issue; users are advised to implement CSRF protection manually or monitor for updates [2]. No evidence exists of active exploitation in the wild or inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. OffSec’s Exploit Database Archive
  2. OpenCart 3.0.36 Account Takeover via Cross Site Request Forgery

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Opencart/Opencartinferred2 versions
    = 3.0.3.6+ 1 more
    • (no CPE)range: = 3.0.3.6
    • (no CPE)range: =3.0.3.6

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.