Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.3, the checkout endpoint accepts a user-controlled cart_id and uses it to enter the payment flow without verifying cart ownership. A logged-in attacker can therefore reuse another user's cart data in their own checkout session. This vulnerability is fixed in 1.0.8.3.
AnalysisAI
Vvveb CMS versions before 1.0.8.3 allow authenticated users to hijack other users' shopping carts during checkout. The checkout endpoint fails to verify cart ownership when processing a user-supplied cart_id parameter, enabling attackers to access and potentially complete purchases using another user's cart contents. This vulnerability has been patched in version 1.0.8.3.
Technical ContextAI
Vvveb is a content management system with integrated ecommerce functionality and visual page builder capabilities. The vulnerability stems from improper authorization (CWE-639) in the checkout workflow, where the system accepts cart identifiers without verifying that the requesting user owns the referenced cart. This allows horizontal privilege escalation between authenticated users sharing the same application instance.
RemediationAI
Vendor-released patch: upgrade to Vvveb CMS version 1.0.8.3 or later, which implements proper cart ownership verification. The fix is available through the official Vvveb repository. As an interim mitigation for deployments unable to immediately upgrade, consider implementing additional session validation at the web application firewall level or temporarily disabling guest checkout functionality if it allows easier cart manipulation. Monitor checkout logs for anomalous cart_id usage patterns that may indicate exploitation attempts.
An issue in vvveb CMS v.1.0.6 allows a remote attacker to execute arbitrary code via the Plugin mechanism. Rated critica
A security flaw has been discovered in givanz Vvveb up to 1.0.7.2. Rated medium severity (CVSS 5.5), this vulnerability
A security vulnerability has been detected in givanz Vvveb 1.0.7.2. Rated medium severity (CVSS 5.3), this vulnerability
Remote code execution in Vvveb CMS versions prior to 1.0.8.1 allows unauthenticated attackers to inject arbitrary PHP co
Stored cross-site scripting in Vvveb prior to 1.0.8.1 allows authenticated users with media upload and rename permission
Privilege escalation in Vvveb CMS versions prior to 1.0.8.1 allows authenticated low-privileged users to inject role_id=
SQL injection in Vvveb CMS versions before 1.0.8.3 allows authenticated frontend users to execute arbitrary SQL queries
Remote code execution in Vvveb CMS versions before 1.0.8.2 enables low-privilege authenticated users (editor, author, co
Server-Side Request Forgery in Vvveb CMS versions prior to 1.0.8.1 allows authenticated backend users to read arbitrary
Authenticated administrators in Vvveb CMS versions before 1.0.8.3 can access REST API tokens of other administrators thr
Negative quantity manipulation in Vvveb CMS versions before 1.0.8.2 allows unauthenticated remote attackers to create or
Vvveb before 1.0.8.2 exposes the application's secret cron key through an unauthenticated cron controller endpoint, allo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30584