CVE-2022-50941
Persistent Cross-Site Scripting in BootCommerce 3.2.1 Enables Session Hijacking
Publication date: 2026-02-01
Last updated on: 2026-02-03
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bootcommerce | bootcommerce | to 3.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50941 is a persistent Cross-Site Scripting (XSS) vulnerability in BootCommerce version 3.2.1. It occurs because the application does not properly validate and sanitize input fields during the guest order checkout process, specifically in billing and shipping address fields like name, email, phone, and address. This flaw allows remote attackers, including unauthenticated guests, to inject malicious scripts that persist in both the frontend order summary and backend order preview. These scripts can execute when viewed by users or administrators, enabling attacks such as session hijacking, phishing, and manipulation of application modules. [1, 2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to execute arbitrary malicious scripts within your BootCommerce application. This can lead to session hijacking, where attackers steal user sessions; phishing attacks, by displaying fraudulent content; external redirects to malicious websites; and manipulation of application modules, potentially compromising the integrity and security of your e-commerce platform. Since the vulnerability affects both frontend users and backend administrators, it poses risks to both customers and system operators. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the guest order checkout input fields for persistent cross-site scripting (XSS) vulnerabilities. Specifically, you can send crafted POST requests to the checkout.php script targeting parameters such as name, lastname, email, phone, fax, address, zip code, and city with malicious script payloads. Monitoring the frontend order summary and backend order preview modules for persistence of injected scripts can confirm exploitation. While no specific commands are provided, using tools like curl or Burp Suite to send POST requests with XSS payloads to these parameters during the guest checkout process can help detect the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the guest order checkout feature to prevent unauthenticated users from submitting input, applying input validation and sanitization on all user-supplied data in the checkout.php script, especially on billing and shipping address fields, and updating BootCommerce to a version where this vulnerability is fixed if available. Additionally, monitoring and cleaning any injected scripts from the frontend and backend order modules can reduce risk. Employing web application firewalls (WAF) to filter malicious input may also help mitigate exploitation. [1, 2]