OpenCart
CVE-2025-15116
LOW
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in OpenCart up to 4.1.0.3. Affected by this issue is some unknown functionality of the component Single-Use Coupon Handler. Performing a manipulation results in race condition. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
OpenCart versions up to 4.1.0.3 are vulnerable to a race condition in the Single-Use Coupon Handler component that allows remote attackers to perform unauthorized manipulation resulting in information disclosure. The attack requires high complexity and no authentication, with a CVSS score of 2.9 indicating low impact. Publicly available exploit code exists, though the vendor did not respond to early disclosure notification.
Technical ContextAI
The vulnerability exists in OpenCart's Single-Use Coupon Handler functionality, which manages the lifecycle and validation of promotional coupons restricted to single use. The underlying issue is a classic race condition (CWE-362), where concurrent requests to redeem the same coupon can bypass the single-use restriction due to improper synchronization between coupon validation and redemption logic. This timing-based flaw allows an attacker to exploit the window between when a coupon is validated as available and when it is marked as consumed, potentially allowing multiple redemptions or disclosure of coupon validity states. The affected product is OpenCart, a PHP-based e-commerce platform, with specific impact limited to the coupon subsystem.
RemediationAI
No vendor-released patch has been identified at time of analysis, as the OpenCart vendor did not respond to early disclosure. Users should upgrade to OpenCart 4.1.1 or later if available, or implement compensating controls to mitigate race condition exploitation. Mitigations include: (1) Enforce database-level locks on coupon redemption queries using SELECT FOR UPDATE or equivalent row-level locking to serialize concurrent coupon validation and marking as consumed, reducing the race window to near-zero; (2) Implement transaction-level isolation using serializable transaction isolation level (trade-off: potential performance impact on high-concurrency coupon usage); (3) Disable the Single-Use Coupon feature entirely if not operationally required, eliminating the vulnerable code path; (4) Monitor coupon redemption logs for duplicate uses within short time windows and alert on anomalies. Check https://vuldb.com/?id.338494 and vendor advisory channels for patch status updates.
OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts,
OpenCart 3.0.3.8 contains a session fixation vulnerability that allows attackers to hijack user sessions by injecting ar
An issue discovered in OpenCart 4.0.0.0 to 4.0.2.3 allows authenticated backend users having common/security write privi
Path Traversal in OpenCart versions 4.0.0.0 to 4.0.2.2 allows an authenticated user with access/modify privilege on the
/upload/catalog/controller/account/password.php in OpenCart through 3.0.2.0 has CSRF via the index.php?route=account/pas
This affects versions of the package opencart/opencart from 0.0.0. Rated high severity (CVSS 8.1), this vulnerability is
The "program extension upload" feature in OpenCart through 3.0.2.0 has a six-step process (upload, install, unzip, move,
SQL injection vulnerability in the updateAmazonOrderTracking function in upload/admin/model/openbay/amazon.php in OpenCa
OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function. Rated high severi
This affects versions of the package opencart/opencart from 4.0.0.0. Rated high severity (CVSS 7.2), this vulnerability
This affects versions of the package opencart/opencart from 4.0.0.0. Rated high severity (CVSS 7.2), this vulnerability
OpenCart 3.0.36 contains a cross-site request forgery vulnerability in the /account/edit endpoint that allows unauthenti
Same weakness CWE-362 – Race Condition
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today