| Title | ShopXO 6.7.1 Authorization Bypass |
|---|
| Description | A vulnerability was found in Gong Fuxiang ShopXO V6.7.1. Affected are the functions OrderClose, OrderSuccess,
PayLogOrderClose and GoodsGiveIntegral of the file app/api/controller/Crontab.php of the component Scheduled Task
Endpoint. The manipulation leads to missing authorization on cron-task endpoints, allowing an unauthenticated attacker
to forcibly advance shipped orders to the "completed" state, prematurely grant goods-bound integrals, mass-close
overdue unpaid orders with inventory rollback, and close overdue pay logs. The attack can be initiated remotely. No
authentication is required for exploitation. The parent controller defines an IsLogin() helper but does not invoke it
from the Crontab controller, and the four action methods carry no per-method authorization gate. The exploit has been
disclosed to the public and may be used. |
|---|
| Source | ⚠️ https://github.com/yunyan05/MYCVE/tree/main/ShopXO/V6.7.1-Unauthenticated-Crontab-Trigger |
|---|
| User | yunyan05 (UID 90348) |
|---|
| Submission | 05/15/2026 11:11 (1 month ago) |
|---|
| Moderation | 06/14/2026 13:54 (1 month later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 370847 [ShopXO up to 6.7.1 Scheduled Task Endpoint Crontab.php authorization] |
|---|
| Points | 20 |
|---|