CVE-2022-50941 | THREATINT

Description

BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and application module manipulation.

PUBLISHED Reserved 2026-01-11 | Published 2026-02-01 | Updated 2026-02-01 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status

unaffected

3.2.1

affected

Credits

Vulnerability-Lab [Research Team] finder

References

www.vulnerability-lab.com/get_content.php?id=2279 (Vulnerability Lab Advisory) exploit

codecanyon.net/...-ecommerce-twitter-bootstrap-based/5702921 (Product Homepage) product

www.vulncheck.com/...cross-site-scripting-via-order-checkout (VulnCheck Advisory: BootCommerce 3.2.1 Persistent Cross-Site Scripting via Order Checkout) third-party-advisory

cve.org (CVE-2022-50941)

nvd.nist.gov (CVE-2022-50941)

Download JSON