An authorization bypass vulnerability in the BeikeShop Stripe plugin allows remote, unauthenticated attackers to manipulate payment callback processes.

The flaw exists in the Stripe plugin callback function within plugins/Stripe/Controllers/StripeController.php. By manipulating the 'Request' argument, an attacker can bypass authorization controls, potentially affecting payment processing integrity.

With a CVSS score of 7.3, this vulnerability poses a high risk to the e-commerce platform's transaction integrity. Unauthorized manipulation of payment callbacks could lead to fraudulent order completion, financial loss, and degradation of customer trust.

Immediate Action: Update BeikeShop to a version beyond 1.6.0.22 or apply the patch associated with commit 6719e0fc690ea0a998452092862e0f0a17c65968.

Proactive Monitoring: Monitor logs for irregular Stripe callback requests that do not follow the expected schema or source authentication patterns.

Compensating Controls: Use a WAF to inspect incoming payment callback requests and validate that they originate from trusted IP ranges or carry valid cryptographic signatures.

Public Exploit Available: true

The severity of this issue necessitates an immediate upgrade to the patched version. Ensure that all plugin-based authorization checks are verified for consistency across the entire application to prevent similar bypasses.