CVE-2024-21514 Overview
CVE-2024-21514 is an SQL Injection vulnerability in the Divido payment extension bundled by default with OpenCart version 3.0.3.9. The flaw resides in catalog/model/extension/payment/divido.php and is reachable without authentication. An anonymous attacker can exploit the issue even when the Divido payment module is installed but not enabled. Successful exploitation grants unauthorized read and write access to the backend database, including customer personally identifiable information (PII). The vulnerability is tracked under CWE-89: Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Unauthenticated attackers can dump the entire OpenCart database — including customer PII, order data, and administrative credentials — from any storefront where the Divido extension is present.
Affected Products
- OpenCart 3.0.3.9 (Divido payment extension included by default)
- OpenCart installations from 0.0.0 onwards where the Divido payment module is installed
- Any OpenCart deployment with extension/payment/divido present, regardless of whether the module is enabled
Discovery Timeline
- 2024-06-22 - CVE-2024-21514 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-21514
Vulnerability Analysis
The vulnerability stems from unsanitized input passed directly into SQL statements within the Divido payment integration. OpenCart 3.0.3.9 ships the Divido module by default, which exposes a public callback endpoint reachable through the catalog storefront. The endpoint processes attacker-controlled parameters and concatenates them into database queries without parameterization or escaping. Because the entry point lives under the public storefront, no authentication, session, or administrative privilege is required. The Exploit Prediction Scoring System places this issue in the top percentile for likelihood of exploitation, reflecting both the simplicity of SQL injection tooling and the widespread deployment of OpenCart.
Root Cause
The root cause is improper neutralization of user input in the divido.php model file at upload/catalog/model/extension/payment/divido.php. Request parameters flow into a $this->db->query() call without being routed through $this->db->escape() or prepared statements. OpenCart maintainers responded by removing the Divido extension entirely rather than patching individual sinks. The commit message in the upstream fix states the code was removed because "whoever put it there left some big issues," indicating multiple unsafe code paths beyond a single injection point.
Attack Vector
An attacker sends crafted HTTP requests to the Divido payment endpoint exposed by the OpenCart catalog router. Injected SQL payloads are executed in the context of the OpenCart database user, which typically has full read and write access to oc_customer, oc_order, oc_user, and related tables. Attackers can extract password hashes, session tokens, API keys, and PII, or write malicious records to escalate to administrative access.
// Upstream remediation: the entire Divido extension was removed
// rather than patched. Excerpt from the removed file:
// upload/admin/controller/extension/module/divido_calculator.php
-<?php
-class ControllerExtensionModuleDividoCalculator extends Controller {
- private $error = array();
-
- public function index() {
- $this->load->language('extension/module/divido_calculator');
- $this->load->model('setting/setting');
-
- $this->document->setTitle($this->language->get('heading_title'));
-
- if (($this->request->server['REQUEST_METHOD'] == 'POST') && $this->validate()) {
- $this->model_setting_setting->editSetting('module_divido_calculator', $this->request->post);
- $this->session->data['success'] = $this->language->get('text_success');
- $this->response->redirect($this->url->link('marketplace/extension', 'user_token=' . $this->session->data['user_token'] . '&type=module', true));
- }
Source: opencart/opencart commit 46bd5f5
Detection Methods for CVE-2024-21514
Indicators of Compromise
- Web server access logs containing requests to /index.php?route=extension/payment/divido* with SQL metacharacters such as ', UNION, SELECT, SLEEP(, or -- in query parameters or POST bodies
- Presence of catalog/model/extension/payment/divido.php and admin/controller/extension/module/divido_calculator.php on disk in OpenCart 3.0.3.9 installations
- Unexpected outbound database queries returning oc_customer, oc_user, or oc_session table data in response bodies
- Anomalous read volume against the MySQL/MariaDB account used by OpenCart, particularly SELECT queries against authentication tables
Detection Strategies
- Deploy web application firewall (WAF) signatures that inspect requests to OpenCart catalog payment routes for SQL injection patterns, including time-based and UNION-based payloads
- Enable MySQL general query logging or audit plugins and alert on UNION SELECT queries originating from the OpenCart PHP process
- Hunt across PHP-FPM and Apache/Nginx logs for sustained request bursts to route=extension/payment/divido from a single source IP, which is consistent with automated SQLi tooling such as sqlmap
Monitoring Recommendations
- Monitor file integrity on the catalog/model/extension/payment/ and admin/controller/extension/module/ directories to identify when Divido files remain after upgrades
- Forward web and database telemetry to a centralized SIEM and correlate storefront request anomalies with database row-count spikes
- Track outbound traffic from web servers for large response payloads to unfamiliar destinations, which can indicate database exfiltration
How to Mitigate CVE-2024-21514
Immediate Actions Required
- Remove the Divido payment extension files from any OpenCart deployment, mirroring the upstream remediation in commit 46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2
- Apply the latest OpenCart release that no longer ships the Divido extension and verify the files are absent post-upgrade
- Rotate all OpenCart administrator passwords, API tokens, and database credentials, as unauthenticated read access may have already exposed them
- Audit the oc_user, oc_customer, and oc_order tables for unauthorized rows or modified privilege fields
Patch Information
The maintainers resolved CVE-2024-21514 by removing the Divido extension entirely in opencart/opencart commit 46bd5f5a8056ff9aad0aa7d71729c4cf593d67e2. Operators running OpenCart 3.0.3.9 must upgrade to a release that incorporates this commit or manually delete the Divido files listed in the commit. Additional vulnerability details are documented in the Snyk Vulnerability Report.
Workarounds
- Delete upload/catalog/controller/extension/payment/divido.php, upload/catalog/model/extension/payment/divido.php, and the corresponding admin/controller/extension/module/divido_calculator.php files if an immediate upgrade is not possible
- Block requests to route=extension/payment/divido and route=extension/module/divido_calculator at the reverse proxy or WAF layer until files are removed
- Restrict the OpenCart database account to the minimum required privileges and deny access to administrative tables where feasible
# Locate and remove Divido extension files on an OpenCart 3.0.3.9 host
find /var/www/opencart -type f -name 'divido*.php' -print
# After review, remove the vulnerable files
find /var/www/opencart -type f -name 'divido*.php' -delete
# Block the vulnerable routes at the Nginx layer until upgrade
# Add inside the server block:
# location ~* route=extension/(payment/divido|module/divido_calculator) {
# return 404;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

