*CVE-2025-45892 – Stored XSS via Blog Editor*

*Affected Versions*: OpenCart 4.1.0.4 and below
*Vector*: Stored XSS
*Attack Surface*: Blog editor input
*Description*: Input to the blog editor is rendered without sufficient
sanitization, allowing JavaScript injection.
*PoC*:

   1.

   Navigate to the blog editor in the admin panel.
   2.

   Insert the following payload:

   <script>alert('XSS');</script>

   3.

   Save and view the blog post. The script executes when the post is viewed.

------------------------------

*CVE-2025-45893 – Stored XSS via SVG Upload*

*Affected Versions*: OpenCart 4.1.0.4 and below
*Vector*: Stored XSS via file upload
*Attack Surface*: SVG uploads through the media manager
*Description*: SVG files are not properly sanitized. JavaScript embedded
within them executes upon rendering.
*PoC*:

   1.

   Create a malicious SVG file:

   <svg xmlns="http://www.w3.org/2000/svg">
     <script>alert('SVG XSS');</script>
   </svg>

   2.

   Upload it via the media manager and insert it into a blog post.
   3.

   Viewing the post triggers the JavaScript.