Research: SQli in Dreamvention Live Ajax Search OpenCart module

I found a SQLi vulnerability in the Dreamvention Live Ajax Search OpenCart module.

This allows an unauthenticated attacker to access any and all content stored in the database.

Via the SQLi vulnerability it's possible to compromise the site by exfiltrating admin session details / credentials.

Details: https://gist.github.com/mcdruid/d6a41cfebd9e10e63a8c698d3a8ad771

This was assigned CVE-2025-1116