7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-21447

CVE-2026-21447: Bagisto has IDOR in Customer Order Reorder Functionality

Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order ID parameter. This exposes sensitive purchase information and enables potential fraud. Version 2.3.10 patches the issue.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-21447

CVE-2026-21447:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bagisto/bagisto	composer	< 2.3.10	2.3.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the reorder method within the OrderController.php file. The security advisory and the commit patch b2b1cf62577245d03a68532478cffbe321df74d3 confirm this. The original code fetched an order solely by its ID (findOrFail($id)), failing to check if the order belonged to the currently authenticated customer. This allowed any authenticated user to access and reorder items from another user's order by simply changing the order ID in the URL. The patch rectifies this by adding a where clause to the database query, ensuring that the customer_id of the retrieved order matches the ID of the logged-in customer.

Vulnerable functions

Webkul\Shop\Http\Controllers\Customer\Account\OrderController::reorder

packages/Webkul/Shop/src/Http/Controllers/Customer/Account/OrderController.php

The 'reorder' function was vulnerable to an Insecure Direct Object Reference (IDOR). It retrieved an order using only the order ID from the URL, without verifying that the order belonged to the authenticated customer. This allowed an attacker to reorder items from another customer's order by manipulating the ID.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-21447: Bagisto has IDOR in Customer Order Reorder Functionality

CVE-2026-21447:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.1

7.1

CVE-2026-21447: Bagisto has IDOR in Customer Order Reorder Functionality

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI