CVE-2026-11462: BeikeShop Stripe Plugin Authorization Bypass (HIGH)
BeikeShop, an e-commerce platform by Chengdu Everbrite Network Technology, contains an authorization flaw in its Stripe payment plugin that allows unauthenticated attackers to manipulate request parameters and gain unauthorized access to sensitive functions. The vulnerability affects versions up to 1.6.0.22 and has been publicly disclosed, increasing exploitation risk. A patch is available and should be deployed promptly.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-266, CWE-285
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-07 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22. This impacts the function callback of the file plugins/Stripe/Controllers/StripeController.php of the component Stripe Plugin. Performing a manipulation of the argument Request results in improper authorization. The attack can be initiated remotely. The exploit has been made public and could be used. The patch is named 6719e0fc690ea0a998452092862e0f0a17c65968. It is suggested to install a patch to address this issue.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-11462 is an improper authorization vulnerability in the Stripe plugin component (plugins/Stripe/Controllers/StripeController.php) of BeikeShop. The vulnerability stems from insufficient authorization checks in the callback function, allowing attackers to manipulate the Request argument to bypass access controls. The flaw is rooted in authorization logic errors (CWE-266, CWE-285) and can be exploited over the network without authentication or user interaction. The CVSS 3.1 score of 7.3 (HIGH) reflects the combination of network accessibility, low complexity, and impact to confidentiality, integrity, and availability.
Business impact
Exploitation of this vulnerability could allow attackers to intercept or manipulate payment processing, potentially leading to unauthorized transactions, payment diversion, or compromise of customer financial data. For merchants using BeikeShop with Stripe integration, this represents a direct threat to transaction integrity and PCI-DSS compliance posture. Delayed patching exposes the organization to fraud, chargebacks, and reputational damage associated with payment system compromise.
Affected systems
BeikeShop versions up to and including 1.6.0.22 are affected. The vulnerability is specific to installations with the Stripe plugin enabled. Organizations running affected versions should prioritize inventory and testing immediately. Later versions may exist; verify your deployment version against vendor release notes.
Exploitability
This vulnerability is actively exploitable with low complexity. No authentication is required, no user interaction is necessary, and the attack surface is network-accessible. Public disclosure has occurred, increasing the likelihood of exploit development and scanning activity. The combination of these factors elevates real-world exploitation risk substantially.
Remediation
Apply the available patch immediately. The patch commit hash is 6719e0fc690ea0a998452092862e0f0a17c65968. Verify this commit hash against the official Chengdu Everbrite vendor repository or security advisory before deployment. If a formal version release is not yet available, coordinate with the vendor to obtain the patched code and test thoroughly in a staging environment before production rollout. As an interim measure, restrict network access to the Stripe callback endpoint if operationally feasible.
Patch guidance
Contact Chengdu Everbrite Network Technology for the official patch release corresponding to commit 6719e0fc690ea0a998452092862e0f0a17c65968. Apply patches to all BeikeShop instances running version 1.6.0.22 or earlier in your environment. Test the patch in a non-production environment that mirrors your production configuration, including payment processing workflows. Document the patching timeline and verify patch application using file integrity monitoring or version checks. Plan for a maintenance window to deploy the patch with minimal business disruption.
Detection guidance
Monitor web server access logs for requests to plugins/Stripe/Controllers/StripeController.php with unusual or manipulated Request parameters, particularly requests from untrusted IP ranges or with suspicious callback patterns. Implement intrusion detection signatures that flag attempts to bypass authorization in payment plugin code paths. Review Stripe transaction logs and payment processor reports for anomalous transactions, timeouts, or callback failures that may indicate exploitation attempts. Enable detailed logging on the Stripe plugin if available, and correlate application logs with network traffic analysis for behavioral indicators of post-exploitation activity.
Why prioritize this
This vulnerability merits immediate prioritization due to its HIGH CVSS score, active public exploit availability, direct impact on payment systems, and zero authentication requirements. Exploitation could result in direct financial loss and regulatory non-compliance. The combination of network accessibility and low attack complexity means opportunistic and targeted attackers alike can exploit unpatched instances with minimal effort.
Risk score, explained
The CVSS 3.1 score of 7.3 (HIGH) is driven by: network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction needed (UI:N), and impact to confidentiality, integrity, and availability (C:L/I:L/A:L). While the individual impacts are rated low, the unrestricted attack surface and zero-friction exploitation path elevate the overall risk to HIGH. The public disclosure and active exploit status further increase real-world severity.
Frequently asked questions
How do I determine if my BeikeShop installation is vulnerable?
Check your BeikeShop version number in the administration panel or configuration files. If you are running version 1.6.0.22 or earlier AND have the Stripe plugin enabled, you are vulnerable. Verify plugin status under installed plugins or extensions. If you have already applied the patch (commit 6719e0fc690ea0a998452092862e0f0a17c65968), you are not vulnerable to this specific issue.
Can this vulnerability be exploited if the Stripe plugin is disabled?
The vulnerability exists in the Stripe plugin component specifically. If the plugin is completely disabled and removed from active operation, the attack surface is eliminated. However, disabling is not a substitute for patching—re-enabling the plugin later would re-expose the vulnerability. Apply the patch to ensure the plugin is secure if you intend to use it.
Does this affect payment data that has already been processed?
This vulnerability concerns authorization bypass in the callback function, which processes payment responses and confirmations. Historical payment data security depends on how the vulnerability was exploited. If exploitation occurred on your system, request a forensic assessment to determine the scope of unauthorized access. Contact your payment processor and consider notifying affected customers if unauthorized transactions were detected.
What should I do if I cannot immediately apply the patch?
As interim mitigations: (1) restrict network access to the Stripe plugin endpoint using firewall rules or web application firewall policies, (2) implement IP whitelisting for known Stripe callback sources, (3) increase monitoring and logging of Stripe-related requests, (4) disable the Stripe plugin if not actively in use, and (5) establish an expedited patch timeline with your development and operations teams. These measures reduce but do not eliminate risk; patching remains the primary remediation.
This analysis is provided for informational and risk management purposes. The information is based on the CVE record and publicly disclosed details as of the publication date. Verify all patch versions, commit hashes, and vendor advisories directly with Chengdu Everbrite Network Technology or official channels before deploying patches to production. SEC.co does not provide legal or compliance advice; consult your organization's legal and compliance teams regarding regulatory obligations related to this vulnerability. Test all patches in a non-production environment before production deployment. This document does not constitute a recommendation to purchase, use, or deploy any specific product or vendor. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10236HIGHSourceCodester Water Billing System Improper Authorization Vulnerability (CVSS 7.3)
- CVE-2026-10070MEDIUMmacrozheng mall Admin Authorization Bypass in /admin/update/
- CVE-2026-10215MEDIUMDolibarr Leave Request API Authorization Bypass
- CVE-2026-10218MEDIUMGoClaw Improper Authorization Vulnerability (CVSS 5.4)
- CVE-2026-10269MEDIUMHost Header Authorization Bypass in Decolua 9router
- CVE-2026-10272MEDIUMStudent-Management-System Authorization Bypass in Admin Panel
- CVE-2026-10282MEDIUMBottelet DaybydayCRM Authorization Bypass in DocumentsController
- CVE-2026-10284MEDIUMImproper Authorization in DevaslanPHP Project-Management Comment Functions