Research: PHP Object Injection in Aridius Opencart modules

As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in multiple OpenCart modules named aridius_XYZ.

It appears that current "official" releases of Aridius modules are not vulnerable. However, it also appears to be common for "unofficial" versions of the extensions to be used.

At the time of discovery, at least one such unofficial version was available for free download from the OpenCart marketplace - this release was vulnerable.

The vulnerability is exploitable remotely without authentication.

(POP/) Gadget Chains exist in OpenCart (3 and 4) which allow Object Injection vulnerabilities to be exploited, for example to write arbitrary files or achieve Remote Code Execution.

Details: https://gist.github.com/mcdruid/52383f40d11becb79ce4033cb46546eb

This was assigned CVE-2025-0841