CVE-2026-11462
Deferred Deferred - Pending Action
Improper Authorization in BeikeShop Stripe Plugin

Publication date: 2026-06-07

Last updated on: 2026-06-07

Assigner: VulDB

Description
A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-07
Last Modified
2026-06-07
Generated
2026-06-08
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11462
EUVD
EUVD-2026-34993
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
chengdu_everbrite_network_technology beikeshop to 1.6.0.22 (inc)
stripe stripe_plugin to 1.6.0.22 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Stripe Plugin of Chengdu Everbrite Network Technology BeikeShop up to version 1.6.0.22, specifically in the callback function located in plugins/Stripe/Controllers/StripeController.php.

An attacker can manipulate the Request argument to bypass proper authorization controls, allowing unauthorized actions to be performed remotely.

The vulnerability has a public exploit available, making it easier for attackers to take advantage of it.

A patch has been released to fix this issue, and it is recommended to apply it.

Impact Analysis

Exploitation of this vulnerability can lead to improper authorization, meaning attackers could perform actions they are not permitted to do.

Since the attack can be initiated remotely without any user interaction or privileges, it poses a significant security risk.

Potential impacts include unauthorized access to sensitive data, modification of data, and disruption of service.

Mitigation Strategies

It is suggested to install the patch named 6719e0fc690ea0a998452092862e0f0a17c65968 to address this issue.

Compliance Impact

The vulnerability allows unauthenticated attackers to forge Stripe webhook events and mark orders as paid without actual payment, leading to financial loss and manipulation of sales data.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the improper authorization and potential financial fraud could indirectly impact compliance by violating principles of data integrity and transaction authenticity.

Organizations relying on BeikeShop with this vulnerability might face challenges in meeting regulatory requirements related to secure payment processing and accurate financial reporting.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or forged POST requests to the /callback/stripe endpoint of the BeikeShop platform. Specifically, requests that lack a valid Stripe-Signature header or contain manipulated order metadata indicating a charge.succeeded event could indicate exploitation attempts.

To detect such activity, you can use network traffic inspection tools or web server logs to filter for POST requests to the vulnerable endpoint and check for missing or invalid Stripe-Signature headers.

  • Use curl or similar tools to manually test the endpoint for signature verification, for example: curl -X POST https://your-beikeshop-domain/callback/stripe -H "Content-Type: application/json" -d '{"type":"charge.succeeded","data":{"object":{"metadata":{"order_no":"test"}}}}'
  • Use command-line tools like grep or awk on web server logs to find POST requests to /callback/stripe without a Stripe-Signature header: grep 'POST /callback/stripe' /var/log/nginx/access.log | grep -v 'Stripe-Signature'
  • Employ intrusion detection systems (IDS) or web application firewalls (WAF) to alert on suspicious webhook requests lacking proper signature verification.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11462. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart