CVE-2022-50941
Unknown Unknown - Not Provided
Persistent Cross-Site Scripting in BootCommerce 3.2.1 Enables Session Hijacking

Publication date: 2026-02-01

Last updated on: 2026-02-03

Assigner: VulnCheck

Description
BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and application module manipulation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-01
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-01
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50941
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bootcommerce bootcommerce to 3.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50941 is a persistent Cross-Site Scripting (XSS) vulnerability in BootCommerce version 3.2.1. It occurs because the application does not properly validate and sanitize input fields during the guest order checkout process, specifically in billing and shipping address fields like name, email, phone, and address. This flaw allows remote attackers, including unauthenticated guests, to inject malicious scripts that persist in both the frontend order summary and backend order preview. These scripts can execute when viewed by users or administrators, enabling attacks such as session hijacking, phishing, and manipulation of application modules. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute arbitrary malicious scripts within your BootCommerce application. This can lead to session hijacking, where attackers steal user sessions; phishing attacks, by displaying fraudulent content; external redirects to malicious websites; and manipulation of application modules, potentially compromising the integrity and security of your e-commerce platform. Since the vulnerability affects both frontend users and backend administrators, it poses risks to both customers and system operators. [1, 2]

Detection Guidance

This vulnerability can be detected by testing the guest order checkout input fields for persistent cross-site scripting (XSS) vulnerabilities. Specifically, you can send crafted POST requests to the checkout.php script targeting parameters such as name, lastname, email, phone, fax, address, zip code, and city with malicious script payloads. Monitoring the frontend order summary and backend order preview modules for persistence of injected scripts can confirm exploitation. While no specific commands are provided, using tools like curl or Burp Suite to send POST requests with XSS payloads to these parameters during the guest checkout process can help detect the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the guest order checkout feature to prevent unauthenticated users from submitting input, applying input validation and sanitization on all user-supplied data in the checkout.php script, especially on billing and shipping address fields, and updating BootCommerce to a version where this vulnerability is fixed if available. Additionally, monitoring and cleaning any injected scripts from the frontend and backend order modules can reduce risk. Employing web application firewalls (WAF) to filter malicious input may also help mitigate exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50941. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart