Skip to main content

ShopXO CVE-2026-12204

| EUVD-2026-36679 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-15 VulDB GHSA-mj5p-9vqp-6mww
Authentication Bypass PHP Shopxo
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-accessible unauthenticated endpoint (AV:N, PR:N); low complexity per POC; integrity and confidentiality limited to order-scope data with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
Jun 15, 2026 - 02:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
Jun 15, 2026 - 02:12 vuln.today

DescriptionCVE.org

A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed ShopXO instance
Delivery
Locate unauthenticated Crontab API endpoint
Exploit
Send crafted HTTP request with target order ID
Execution
Trigger OrderSuccess or GoodsGiveIntegral without payment
Impact
Receive goods or loyalty points fraudulently
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The Crontab controller endpoint must be reachable over the network - specifically, the API route for app/api/controller/Crontab.php must not be blocked by a firewall, reverse proxy ACL, or web server access control. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) represents the most accessible possible exploitation profile: remote, unauthenticated, zero complexity, no attack prerequisites. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a ShopXO storefront and identifies the exposed Crontab API endpoint using the public proof-of-concept at https://github.com/yunyan05/MYCVE/tree/main/ShopXO/V6.7.1-Unauthenticated-Crontab-Trigger. The attacker sends a crafted HTTP request directly to the OrderSuccess function endpoint, passing a target order ID, causing the platform to mark an unpaid order as completed and potentially trigger goods dispatch or loyalty point awards without any legitimate transaction. …
Remediation No vendor-released patch has been identified at time of analysis - the vendor did not respond to disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-12204 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy