Description
jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw in jCart for OpenCart 2.3.0.2 that allows attackers to modify user account information, such as credentials, passwords, and affiliate details, without authentication. Attackers can craft malicious HTML forms targeting the extension’s account‑change endpoints, so that when a victim visits an attacker‑controlled page the browser submits privileged state‑changing requests under the victim’s session. This flaw is a CWE‑352 and can result in compromised accounts and potential credential theft.

Affected Systems

The affected product is the Joomla! extension jCart for OpenCart, version 2.3.0.2. Users who have installed this exact version of the extension are vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating medium severity, and the EPSS score is < 1%. It is not listed in the CISA KEV catalog. An attacker would need to convince a legitimate user to visit a malicious page in order to trigger the request, making the exploit a user‑interaction attack. The risk is moderate, with the potential for unauthorized account modifications but no direct code execution or denial of service uncovered.

Generated by OpenCVE AI on May 26, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the jCart for OpenCart extension to a version that includes CSRF protection or the latest available release.
  • Ensure that all state‑changing actions in the extension are guarded by CSRF token validation; if the current code does not provide this, add a token check before processing requests.
  • Apply a WAF rule or similar filtering to block unexpected POST requests to the extension’s account‑change endpoints, restricting allowed referrers or requiring a CSRF token.

Generated by OpenCVE AI on May 26, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 00:00:00 +0000

Type Values Removed Values Added
Description Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page. jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page.
Title Joomla jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery

Mon, 18 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomlaextensions
Joomlaextensions jcart For Opencart
Vendors & Products Joomlaextensions
Joomlaextensions jcart For Opencart

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page.
Title Joomla jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Joomlaextensions Jcart For Opencart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:41:05.238Z

Reserved: 2026-05-17T11:58:03.058Z

Link: CVE-2018-25336

cve-icon Vulnrichment

Updated: 2026-05-18T20:08:11.159Z

cve-icon NVD

Status : Deferred

Published: 2026-05-17T13:16:45.343

Modified: 2026-05-26T00:16:44.353

Link: CVE-2018-25336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T02:00:13Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)