I've got a partial exploit chain for opencart. Got tons of methods for getting code exec post-auth. I just need something preauth such as reflective xss or csrf to chain with. If anyone thinks they're able to help, send me a PM. We can split profits 50/50 if we get a working PoC (already got the potential sale lined up w/ my 0day broker).

I wasn't sure where to post this so I just put it in the "random discussion" section.

There's a live demo of opencart at https://demo.opencart.com/ but some CRUD functionality is disabled, so I'd suggest running it locally via xampp or something instead. I've already got SQLi, SSTI, LFD, some BAC issues, and a few other post-auth vulns... but I need something preauth such as XSS or CSRF to chain with. So far, all I've managed to find preauth is FPD via array insertion (like so: https://demo.opencart.com/index.php?route[]=product/category&path=24) but of course while that is useful for pairing with the LFD, the LFD is still post-auth alongside the other vulns, so I still need something like rXSS or CSRF to chain with. If anyone is able to help me find either of those bugs, we can chain w/ my current post-auth vulns in order to create a PoC for a preauth RCE chain... we can then sell that to one of my brokers and split the payout 50/50 :)