Executive Summary

CVE-2026-12204 is an unauthenticated business-logic tampering vulnerability in ShopXO version 6.7.1. It affects the Scheduled Task Endpoint in the file app/api/controller/Crontab.php, specifically the functions OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral.

The vulnerability arises because these functions, intended to be triggered by an operating system cron scheduler, are exposed as HTTP routes without proper authentication. The parent controller does not enforce login, the IsLogin() method is never called, and the service layer lacks caller validation.

An unauthenticated remote attacker can exploit this by sending HTTP GET requests to these endpoints, triggering production cron tasks without authorization.

Useful 0 Not Useful 0

Impact Analysis

Exploiting this vulnerability allows an attacker to bypass authorization and manipulate order states and related business logic.

• Forcefully confirm orders prematurely.
• Grant loyalty points earlier than intended.
• Manipulate sales statistics, polluting business data.
• Send misleading system messages to buyers.

These impacts can deprive buyers of their statutory refund rights, prematurely release promotional benefits, and undermine merchant operational integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated HTTP GET requests to specific cron-related endpoints in ShopXO, such as /api.php?s=crontab/ordersuccess, /api.php?s=crontab/orderclose, /api.php?s=crontab/paylogorderclose, and /api.php?s=crontab/goodsgiveintegral.

You can use network monitoring tools or web server logs to identify such requests. For example, using command-line tools like curl or wget to test these endpoints can help verify if they are accessible without authentication.

• curl -I http://your-shopxo-domain/api.php?s=crontab/ordersuccess
• curl -I http://your-shopxo-domain/api.php?s=crontab/orderclose
• curl -I http://your-shopxo-domain/api.php?s=crontab/paylogorderclose
• curl -I http://your-shopxo-domain/api.php?s=crontab/goodsgiveintegral

If these endpoints respond without requiring authentication, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include enforcing authentication on the cron controller endpoints to prevent unauthorized access.

• Implement a shared secret token that must be provided with requests to the cron endpoints.
• Restrict access to these endpoints by IP whitelisting, allowing only trusted IP addresses such as the server's own IP or trusted cron scheduler IPs.
• Move the access control logic into a framework middleware to ensure consistent enforcement.
• Avoid leaking processing statistics or sensitive information in the responses from these endpoints.
• Implement rate limiting on the cron endpoints to reduce the risk of abuse or denial-of-service attacks.

Additionally, document secure cron configuration practices to ensure proper setup and maintenance.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized remote attackers to manipulate order statuses, prematurely grant loyalty points, and alter sales statistics without authorization. Such unauthorized manipulations can lead to violations of buyer rights, including deprivation of statutory refund windows and misleading system messages.

These impacts can affect compliance with common standards and regulations like GDPR and HIPAA by undermining data integrity, authorization controls, and potentially exposing personal or transactional data to unauthorized changes. The lack of proper authentication and authorization enforcement may result in non-compliance with requirements for protecting user data and ensuring accurate transaction records.

Therefore, this vulnerability poses risks to regulatory compliance by enabling unauthorized business logic tampering that can affect data accuracy, user rights, and operational integrity.

Useful 0 Not Useful 0