Description
A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-15
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Scheduled Task Endpoint file Crontab.php within ShopXO leads to an unauthorized privilege escalation that allows a remote actor to invoke backend operations such as OrderClose, OrderSuccess, PayLogOrderClose and GoodsGiveIntegral. The defect permits the bypass of legitimate authentication checks, effectively letting attackers execute these functions without credential verification. In practice this could enable denial of service, monetary loss or manipulation of reward points for users.

Affected Systems

ShopXO is affected, versions up to and including 6.7.1 possess the vulnerability. Any deployment of these releases that retains the exposed Crontab.php endpoint is vulnerable.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate to high severity. No EPSS score is available, but the issue has been publicly disclosed and can be leveraged remotely, so an attacker with network access could exploit it. The vulnerability is not present in the CISA KEV catalog, but the lack of vendor response suggests a critical risk for administrators who have not yet patched or mitigated.

Generated by OpenCVE AI on June 15, 2026 at 03:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShopXO to the latest version (≥6.7.2) or apply the vendor’s patch once available
  • If an upgrade is not feasible, restrict access to the Crontab.php endpoint to trusted administrative IP ranges or remove the endpoint entirely from the public interface
  • Implement strict authentication and authorization checks for all scheduled task endpoints, ensuring that no privileged function can be called without proper credentials
  • Review and harden all scheduled task configurations to ensure they can only be executed by authorized system processes

Generated by OpenCVE AI on June 15, 2026 at 03:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 02:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in ShopXO up to 6.7.1. This vulnerability affects the function OrderClose/OrderSuccess/PayLogOrderClose/GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task Endpoint. Executing a manipulation can lead to authorization bypass. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title ShopXO Scheduled Task Endpoint Crontab.php GoodsGiveIntegral authorization
First Time appeared Shopxo
Shopxo shopxo
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:shopxo:shopxo:*:*:*:*:*:*:*:*
Vendors & Products Shopxo
Shopxo shopxo
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Shopxo Shopxo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-15T01:15:07.840Z

Reserved: 2026-06-14T11:54:42.627Z

Link: CVE-2026-12204

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-15T02:16:12.290

Modified: 2026-06-15T02:16:12.290

Link: CVE-2026-12204

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-15T03:30:07Z

Weaknesses
  • CWE-285

    Improper Authorization

  • CWE-639

    Authorization Bypass Through User-Controlled Key