security-research

I found two vulnerabilities in the ShipRocket OpenCart module

One was an Access Bypass as a result of a logic error and type confusion in PHP.

This allows an unauthenticated attacker to access potentially sensitive information stored in the site's database.

Details: https://gist.github.com/mcdruid/0d1fdbba445587639ee5da66e7abfcc9

This was assigned CVE-2025-0580.

I found an Unrestricted File Upload in the BlogBotz OpenCart module.

This could allow an unauthenticated attacker to gain unauthorised access to the site / hosting infrastructure, for example via a PHP webshell or similar exploit.

Details: https://gist.github.com/mcdruid/28124198128022a1c2b4060f74d99cd6

This was assigned CVE-2025-0460

I found a SQLi vulnerability in the Dreamvention Live Ajax Search OpenCart module.

This allows an unauthenticated attacker to access any and all content stored in the database.

Via the SQLi vulnerability it's possible to compromise the site by exfiltrating admin session details / credentials.

Details: https://gist.github.com/mcdruid/d6a41cfebd9e10e63a8c698d3a8ad771

This was assigned CVE-2025-1116

I found a SQLi vulnerability in the TMD Custom Header Menu OpenCart module.

The CVSS score for this is lower than some of the other SQLi vulnerabilities I found in OpenCart modules, because the vulnerable code is only accessible by authenticated (admin) users.

The maintainers acknowledged the report and fixed this quickly.

Details: https://gist.github.com/mcdruid/ff4f29f4e7830e9e91988c7195d77039

This was assigned CVE-2025-0214