CVE-2021-47946
Received Received - Intake
Cross-Site Request Forgery in OpenCart 3.0.36

Publication date: 2026-05-10

Last updated on: 2026-05-12

Assigner: VulnCheck

Description
OpenCart 3.0.3.6 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenticated attackers to modify victim account details by tricking users into visiting malicious pages. Attackers can craft CSRF payloads that change victim email addresses and account information, then use password reset functionality to gain unauthorized access to compromised accounts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-10
Last Modified
2026-05-12
Generated
2026-06-20
AI Q&A
2026-05-10
EPSS Evaluated
2026-06-18
NVD
CVE-2021-47946
EUVD
EUVD-2021-34806
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
opencart opencart 3.0.36
opencart opencart to 3.0.36 (inc)
opencart opencart 4.1.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47946 is a Cross-Site Request Forgery (CSRF) vulnerability found in OpenCart version 3.0.36, specifically in the /account/edit endpoint.

This vulnerability allows unauthenticated attackers to trick users into visiting malicious pages that contain crafted CSRF payloads. These payloads can modify the victim's account details, such as changing their email address and other account information.

After modifying the account details, attackers can then use the password reset functionality to gain unauthorized access to the compromised accounts.

Impact Analysis

This vulnerability can lead to unauthorized account takeover by attackers without requiring authentication.

Attackers can change victim account details, including email addresses, which can then be used to reset passwords and gain full access to the victim's account.

Such unauthorized access can result in loss of personal data, unauthorized transactions, or misuse of the victim's account.

Mitigation Strategies

The vulnerability in OpenCart 3.0.36 allows unauthenticated attackers to modify victim account details via the /account/edit endpoint by tricking users into visiting malicious pages.

Immediate mitigation steps include preventing users from visiting untrusted or suspicious links that could contain CSRF payloads.

Additionally, monitoring and restricting access to the /account/edit endpoint, applying any available patches or updates from OpenCart, and reviewing password reset processes to ensure they are secure can help reduce risk.

Compliance Impact

The vulnerability allows attackers to take over user accounts by changing account details and resetting passwords without user consent. This unauthorized access to user accounts can lead to exposure or misuse of personal and sensitive information.

Such unauthorized access and potential data breaches could impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal data and ensuring user consent for data modifications.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards.

Detection Guidance

This vulnerability involves Cross-Site Request Forgery (CSRF) attacks targeting the /account/edit endpoint in OpenCart 3.0.36 and below. Detection typically involves monitoring for unusual POST requests to the /account/edit endpoint that change account details without proper authentication.

Since the vulnerability exploits CSRF, network detection can focus on identifying suspicious HTTP POST requests to /account/edit from unauthenticated sources or unusual changes in account email addresses.

Specific commands or tools to detect this vulnerability are not provided in the available resources.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47946. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart