CVE-2021-47928

Description

Opencart TMD Vendor System 3.x contains a blind SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the product_id parameter. Attackers can craft malicious SQL queries using time-based or content-based blind injection techniques to enumerate usernames, emails, and password reset codes from the oc_user table.

PUBLISHED Reserved 2026-02-01 | Published 2026-05-10 | Updated 2026-05-10 | Assigner VulnCheck

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Credits

Muhammad Zaki Sulistya (zaki.sulistya@gmail.com) finder

References

www.exploit-db.com/exploits/50493 (ExploitDB-50493) exploit

www.opencartextensions.in/ (Official Product Homepage) product

www.opencartextensions.in/...vendor-multi-seller-marketplace (Product Reference) product

www.vulncheck.com/...x-blind-sql-injection-via-product-route (VulnCheck Advisory: Opencart TMD Vendor System 3.x Blind SQL Injection via product route) third-party-advisory

cve.org (CVE-2021-47928)

nvd.nist.gov (CVE-2021-47928)

Download JSON