Bagisto, an open‑source Laravel eCommerce platform, contains an Insecure Direct Object Reference in the customer order reorder endpoint. When a customer is logged in, the system does not verify that the order identifier supplied in the request belongs to that customer. An attacker can therefore alter the order ID parameter, causing the platform to load another customer’s order and add those items to their own cart. This flaw enables the attacker to view the contents of other users’ orders, duplicate purchases, and potentially commit fraud. The weak points reflected in CWE-284 and CWE-639 underline the lack of proper access control and user‑controlled key validation.

All Bagisto installations running a version earlier than 2.3.10 are vulnerable. The affected product is Bagisto, as identified by its CNA vendor/product designation. Versions 2.3.10 and later include the patch that closes the issue.

The CVSS score of 7.1 indicates a high severity vulnerability that can result in serious privacy and financial harm. The EPSS score of less than 1% suggests that, as of the latest analysis, exploitation opportunities are currently rare, but the flaw remains present and discoverable by any authenticated account. The vulnerability is not listed in the CISA KEV catalog, yet a public advisory from Bagisto and a commit that fixes the bug have been published. Attackers with a valid user session can exploit the IDOR by simply changing the order identifier in the request, making the risk straightforward to realize without advanced tooling.