OpenCart - Stored Cross Site Scripting (Authenticated)

ID: 103042
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 2020-06-01
# Exploit Author: Kailash Bohara
# Vendor Homepage:
# Software Link:
# Version: OpenCart <
# CVE : CVE-2020-10596

1. Go to and login with credentials.

2. Then navigate to System>Users>Users and click on Action button on top right corner.

3. Now in image field , click on image and upload a new image. Before this select any image file and rename with this XSS payload "><svg onload=alert("XSS")> and then upload it as new user profile image.

4. After the upload completes the XSS pop-up executes as shown below and it will gets executed each time someone visits the Image manager section.
1-4-2 (www02)