CVE-2026-12204

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions ShopXO versions prior to 6.7.2

Description An authorization bypass exists in the Scheduled Task Endpoint within the app/api/controller/Crontab.php file. This issue allows a remote attacker to bypass authorization by manipulating the OrderClose(), OrderSuccess(), PayLogOrderClose(), or GoodsGiveIntegral() functions.

Recommendations Update to a version newer than 6.7.1. As a temporary workaround, restrict access to the OrderClose(), OrderSuccess(), PayLogOrderClose(), and GoodsGiveIntegral() functions in the app/api/controller/Crontab.php file.

Exploit

Fix

Improper Authorization

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-639

Related Identifiers

CVE-2026-12204

Affected Products

Shopxo

CVE-2026-12204

Weakness Enumeration

Related Identifiers

Affected Products

References · 7