Shopxo
Monthly
Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. A public proof-of-concept exploit is available on GitHub, no vendor patch has been released, and the vendor did not respond to responsible disclosure - making this an immediately actionable risk for any internet-exposed ShopXO deployment.
A vulnerability was found in zongzhige ShopXO 6.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) in Email Settings. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) via image upload function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in ShopXO up to 6.4.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. A public proof-of-concept exploit is available on GitHub, no vendor patch has been released, and the vendor did not respond to responsible disclosure - making this an immediately actionable risk for any internet-exposed ShopXO deployment.
A vulnerability was found in zongzhige ShopXO 6.5.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
shopxo v6.4.0 has a ssrf/xss vulnerability in multiple places. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) in Email Settings. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) via image upload function. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
ShopXO 6.4.0 is vulnerable to File Upload in ThemeDataService.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was found in ShopXO up to 6.4.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.