OpenCart is vulnerable to a CSRF attack which allows notably to change the e-mail address of the paypal account which receives the money when a buyer uses paypal.
This is a demo of the exploit: if the administrator is logged in (which is highly likely, given he has to handle orders), getting him to visit a special page allows to change the e-mail address of the paypal account (and many other things).
In this demo, the administrator directly types the URL of the exploit, but you have to imagine that he is tricked into visiting it. A good scenario would be sending an e-mail to the administrator, which explains that we found the same products elsewhere but a lot cheaper. The e-mail would then include the URL containing the exploit, which the administrator would visit with a very high probability.