OpenCart - Stored Cross Site Scripting (Authenticated)







Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

# Exploit Title: OpenCart - Stored Cross Site Scripting (Authenticated)
# Date: 2020-06-01
# Exploit Author: Kailash Bohara
# Vendor Homepage:
# Software Link:
# Version: OpenCart <
# CVE : CVE-2020-10596

1. Go to and login with credentials.

2. Then navigate to System>Users>Users and click on Action button on top right corner.

3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image.

4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.