Opencart TMD Vendor System Blind SQL Injection Vulnerability (CVE-2021-47928)

Opencart TMD Vendor System 3.x is susceptible to a blind SQL injection vulnerability (CVE-2021-47928) that enables unauthenticated attackers to extract sensitive database information. The vulnerability stems from insufficient input sanitization of the product_id parameter, allowing injection of malicious SQL code. By leveraging time-based or content-based blind injection techniques, attackers can enumerate usernames, emails, and password reset codes from the oc_user table. This can lead to unauthorized access to user accounts and potential data breaches. This vulnerability was reported to NVD on May 10, 2026.

Attack Chain

1. An unauthenticated attacker identifies the vulnerable product_id parameter in the Opencart TMD Vendor System 3.x application.
2. The attacker crafts a malicious HTTP GET request with a SQL injection payload embedded within the product_id parameter.
3. The application processes the crafted request without proper sanitization, passing the malicious SQL code to the database server.
4. The database server executes the injected SQL code, performing actions such as querying the oc_user table.
5. Using blind SQL injection techniques (time-based or content-based), the attacker infers information about the database structure and contents.
6. The attacker iterates through the database, extracting sensitive information such as usernames, emails, and password reset codes.
7. The attacker uses the extracted credentials or password reset codes to gain unauthorized access to user accounts.
8. The attacker may further compromise the system, exfiltrate data, or perform other malicious activities.

Impact

Successful exploitation of this vulnerability (CVE-2021-47928) can lead to complete database compromise, including exposure of user credentials, personally identifiable information (PII), and other sensitive data. Unauthenticated attackers can leverage this access to take over administrator accounts, modify website content, or gain deeper access into the target network. Given the potential for widespread exploitation, organizations using Opencart TMD Vendor System 3.x are at significant risk.

Recommendation

• Apply available patches or upgrade to a secure version of Opencart TMD Vendor System to remediate CVE-2021-47928.
• Deploy the Sigma rule “Detect CVE-2021-47928 Exploitation — Opencart TMD Vendor System Blind SQL Injection” to identify exploitation attempts in web server logs.
• Implement web application firewall (WAF) rules to block requests containing SQL injection payloads targeting the product_id parameter.
• Enforce the principle of least privilege on database accounts to limit the impact of successful SQL injection attacks.
• Regularly review and audit web application code for SQL injection vulnerabilities using static and dynamic analysis tools.