CVE-2026-12204: ShopXO Scheduled Task Authorization Bypass

Overview

CVE-2026-12204 is a high-severity authorization bypass vulnerability discovered in ShopXO, a popular open-source PHP e-commerce platform. The flaw exists in the scheduled task (Crontab) controller and allows manipulation of order lifecycle functions without proper authentication, potentially exposing shops to unauthorized order state changes.

CVSS Score: 7.3 (High)
Affected Versions: ShopXO up to and including 6.7.1
Vulnerability Type: Authorization Bypass / Improper Access Control
Published: June 15, 2026

Technical Details

The vulnerability affects the following functions within app/api/controller/Crontab.php:

OrderClose — closes pending orders
OrderSuccess — marks orders as successfully completed
PayLogOrderClose — closes payment log order records
GoodsGiveIntegral — awards loyalty points for product purchases

These functions are exposed via the Scheduled Task Endpoint component and lack sufficient authorization checks. An attacker who can reach the endpoint can trigger these state-change operations without being an authenticated administrator, potentially closing active orders, falsely marking orders as paid, or manipulating loyalty point balances.

Attack Vector

The vulnerability requires network access to the ShopXO API endpoint. In default deployments where the admin API is exposed to the internet or internal networks without additional authentication controls, this creates a meaningful risk surface for:

Order manipulation — forcibly closing or completing customer orders
Loyalty point fraud — triggering integral award functions without corresponding purchases
Business logic abuse — disrupting order workflows and payment reconciliation

Affected Component

Component	Path
Controller	`app/api/controller/Crontab.php`
Functions	`OrderClose`, `OrderSuccess`, `PayLogOrderClose`, `GoodsGiveIntegral`
Endpoint Type	Scheduled Task API
Platform	ShopXO (PHP, ThinkPHP framework)

Mitigation

Upgrade immediately to a patched version of ShopXO beyond 6.7.1 when available from the official repository.
Restrict access to the /api/ controller endpoints at the web server or firewall level, particularly for scheduled task endpoints not intended for public access.
Implement IP allowlisting for cron/scheduled task API endpoints to limit exposure to trusted sources.
Review server logs for unexpected calls to the affected Crontab controller functions, particularly OrderClose and OrderSuccess, originating from untrusted IPs.
Monitor order state changes for anomalous patterns, including mass order closures or unexpected loyalty point awards.

References

Overview

CVSS Score: 7.3 (High)

Affected Versions: ShopXO up to and including 6.7.1

Vulnerability Type: Authorization Bypass / Improper Access Control

Published: June 15, 2026

Technical Details

The vulnerability affects the following functions within app/api/controller/Crontab.php:

OrderClose — closes pending orders

OrderSuccess — marks orders as successfully completed

PayLogOrderClose — closes payment log order records

GoodsGiveIntegral — awards loyalty points for product purchases

Attack Vector

Order manipulation — forcibly closing or completing customer orders

Loyalty point fraud — triggering integral award functions without corresponding purchases

Business logic abuse — disrupting order workflows and payment reconciliation

Component

Path

Controller

app/api/controller/Crontab.php

Functions

OrderClose, OrderSuccess, PayLogOrderClose, GoodsGiveIntegral

Endpoint Type

Scheduled Task API

Platform

ShopXO (PHP, ThinkPHP framework)

Mitigation

Upgrade immediately to a patched version of ShopXO beyond 6.7.1 when available from the official repository.

Restrict access to the /api/ controller endpoints at the web server or firewall level, particularly for scheduled task endpoints not intended for public access.

Implement IP allowlisting for cron/scheduled task API endpoints to limit exposure to trusted sources.

Review server logs for unexpected calls to the affected Crontab controller functions, particularly OrderClose and OrderSuccess, originating from untrusted IPs.

Monitor order state changes for anomalous patterns, including mass order closures or unexpected loyalty point awards.

CVE-2026-12204: ShopXO Scheduled Task Authorization Bypass

Affected Products

Overview

Technical Details

Attack Vector

Affected Component

Mitigation

References

CVE-2026-47365: WordPress Toolkit Argument Injection in cPanel & WHM

CVE-2026-45247 — Mirasvit Magento 2 Cache Warmer PHP Object Injection RCE

CVE-2018-25362: Twitter-Clone SQL Injection via follow.php

CVE-2026-12204: ShopXO Scheduled Task Authorization Bypass

Affected Products

Overview

Technical Details

Attack Vector

Affected Component

Mitigation

References

CVE-2026-47365: WordPress Toolkit Argument Injection in cPanel & WHM

CVE-2026-45247 — Mirasvit Magento 2 Cache Warmer PHP Object Injection RCE

CVE-2018-25362: Twitter-Clone SQL Injection via follow.php