Description
OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts.
Published: 2026-05-10
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenCart 3.0.3.7 contains a cross‑site request forgery flaw that allows an attacker to change the password of an authenticated user by sending a crafted POST request to the /account/password endpoint. The vulnerability exploits the absence of a CSRF token on the password change form, enabling attackers to trick users into submitting hidden forms that set new values for the 'password' and 'confirm' fields. If successful, the attacker can take control of the victim account, compromising confidentiality and integrity of the site data.

Affected Systems

The flaw is limited to OpenCart version 3.0.3.7. No other versions or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, the attack requires the victim to be logged in and to unknowingly submit a malicious form, a scenario that is feasible in many web contexts. Depending on the user base, the risk of account takeover remains significant for sites that cannot immediately patch.

Generated by OpenCVE AI on May 10, 2026 at 14:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenCart to a version newer than 3.0.3.7 where the CVE is fixed
  • If an upgrade is not immediately possible, add CSRF protection to the password change endpoint so that only requests with a valid token are processed
  • Consider temporarily disabling password reset functionality for users while the patch is applied

Generated by OpenCVE AI on May 10, 2026 at 14:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description OpenCart 3.0.3.7 contains a cross-site request forgery vulnerability that allows attackers to change user passwords by sending crafted requests to the account/password endpoint. Attackers can trick authenticated users into submitting hidden forms with new password values in the 'password' and 'confirm' parameters to hijack accounts.
Title OpenCart 3.0.3.7 Cross-Site Request Forgery via account/password
First Time appeared Opencart
Opencart opencart
Weaknesses CWE-352
CPEs cpe:2.3:a:opencart:opencart:3.0.3.7:*:*:*:*:*:*:*
Vendors & Products Opencart
Opencart opencart
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Opencart Opencart
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:52:13.172Z

Reserved: 2026-02-01T11:24:18.720Z

Link: CVE-2021-47953

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:31.853

Modified: 2026-05-10T13:16:31.853

Link: CVE-2021-47953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses