Description
Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a cross‑site request forgery flaw in the jCart for OpenCart extension that lets an attacker modify user account data—including credentials, passwords, and affiliate details—without any authentication. By sending a victim to a crafted HTML form that posts to the extension’s change‑account endpoints, the attacker forces the victim’s browser to submit privileged state‑changing requests with the victim’s session. This weakness is classified as CWE‑352 and can result in compromised accounts and potential credential theft.

Affected Systems

The affected product is the Joomla! extension jCart for OpenCart, version 2.3.0.2. Users who have installed this exact version of the extension are vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating medium severity, and there is no EPSS data available. It is not listed in the CISA KEV catalog. An attacker would need to convince a legitimate user to visit a malicious page in order to trigger the request, making the exploit a user‑interaction attack. The risk is moderate, with the potential for unauthorized account modifications but no direct code execution or denial of service uncovered.

Generated by OpenCVE AI on May 17, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the jCart for OpenCart extension to a version that includes CSRF protection or the latest available release.
  • Ensure that all state‑changing actions in the extension are guarded by CSRF token validation; if the current code does not provide this, add a token check before processing requests.
  • Apply a WAF rule or similar filtering to block unexpected POST requests to the extension’s account‑change endpoints, restricting allowed referrers or requiring a CSRF token.

Generated by OpenCVE AI on May 17, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Joomlaextensions
Joomlaextensions jcart For Opencart
Vendors & Products Joomlaextensions
Joomlaextensions jcart For Opencart

Sun, 17 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description Joomla jCart for OpenCart 2.3.0.2 contains a cross-site request forgery vulnerability that allows attackers to modify user account information without authentication. Attackers can craft malicious HTML forms targeting endpoints , and to change user credentials, passwords, and affiliate account details when victims visit the attacker-controlled page.
Title Joomla jCart for OpenCart 2.3.0.2 Cross-Site Request Forgery
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Joomlaextensions Jcart For Opencart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-17T12:11:40.114Z

Reserved: 2026-05-17T11:58:03.058Z

Link: CVE-2018-25336

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T13:16:45.343

Modified: 2026-05-17T13:16:45.343

Link: CVE-2018-25336

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T16:59:54Z

Weaknesses