As part of my research into Gadget Chains and PHP Object Injection, I discovered an exploitable vulnerability in multiple OpenCart modules named aridius_XYZ.
It appears that current "official" releases of Aridius modules are not vulnerable. However, it also appears to be common for "unofficial" versions of the extensions to be used.
At the time of discovery, at least one such unofficial version was available for free download from the OpenCart marketplace - this release was vulnerable.
The vulnerability is exploitable remotely without authentication.