Skip to main content

BeikeShop EUVD-2026-34993

| CVE-2026-11462 MEDIUM
Improper Authorization (CWE-285)
2026-06-07 VulDB GHSA-mvx3-fx3g-c4c2
PHP Authentication Bypass
5.5
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Severity Changed
Jun 07, 2026 - 23:22 NVD
HIGH MEDIUM
CVSS changed
Jun 07, 2026 - 23:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Source Code Evidence Fetched
Jun 07, 2026 - 22:43 vuln.today
Analysis Generated
Jun 07, 2026 - 22:43 vuln.today

DescriptionNVD

A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue.

AnalysisAI

Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated attackers to forge Stripe payment webhook callbacks and mark unpaid orders as paid. The flawed callback function in plugins/Stripe/Controllers/StripeController.php accepts arbitrary request bodies without verifying the Stripe-Signature header, and publicly available exploit code exists on GitHub. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify BeikeShop store with Stripe plugin
Delivery
Place legitimate order to obtain order_number
Exploit
Craft forged Stripe webhook JSON payload
Execution
POST to /callback/stripe without signature
Persist
Server marks order paid via improper authorization
Impact
Receive goods without payment
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be running BeikeShop ≤ 1.6.0.22 with the bundled Stripe payment plugin enabled and the public `/callback/stripe` webhook route reachable from the internet (the default deployment exposes it so Stripe can deliver callbacks). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L correctly reflects a remotely reachable, unauthenticated, low-complexity attack with limited-but-real impact on each CIA axis - appropriate because the attacker cannot read arbitrary data or take over the host, but can manipulate order/payment state. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker browses a BeikeShop storefront, initiates a normal Stripe checkout to learn the order_number format, then aborts payment. Using the public POC at https://github.com/nuiifornet/BeikeShop-Vulnerability, they send a single crafted JSON POST to `/callback/stripe` containing a `checkout.session.completed`-style event and the victim's order_number in `data.object.metadata.order_number`, with no `Stripe-Signature` header. …
Remediation Apply the upstream fix from commit 6719e0fc690ea0a998452092862e0f0a17c65968 (https://github.com/beikeshop/beikeshop/commit/6719e0fc690ea0a998452092862e0f0a17c65968) or upgrade to the first BeikeShop release that includes it once published - note that the input data confirms an upstream commit but does not name a tagged patched release, so verify with the vendor before declaring a specific fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all BeikeShop instances in production running version 1.6.0.22 or earlier and assess internet exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48907 CRITICAL
10.0 Jun 05

Unauthenticated remote code execution in the JCE (Joomla Content Editor) extension for Joomla allows attackers to create
CVE-2026-48030 CRITICAL
9.9 Jun 09

Authenticated remote code execution in Pheditor 2.0.1-2.0.3 lets any logged-in user with the default terminal permission
CVE-2026-52778 CRITICAL
9.8 Jun 08

Remote code execution in YesWiki prior to 4.6.6 allows unauthenticated attackers to inject arbitrary PHP via the Bazar C
CVE-2026-10777 MEDIUM POC
5.5 Jun 03

Authentication bypass in ealpha072's Student-Management-System PHP application exposes the administrative backend to rem
CVE-2026-11474 MEDIUM POC
5.5 Jun 08

Unrestricted file upload in Kushan2k's student-management-system exposes the registration endpoint to unauthenticated re

Share

EUVD-2026-34993 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy