Dansday
I recently uncovered a critical security vulnerability within a core component of the Bagisto ecommerce platform. I am sharing my findings today because this flaw allows an attacker to completely bypass the admin protection mechanisms. During my testing, I found that anyone can reach admin only routes without passing the intended authentication checks.
The main problem I want to highlight is the severe impact this has on live online stores. By exploiting this vulnerability, an attacker could gain full control over the backend, modify products, alter orders and user data, and even run arbitrary code right inside the application context. What makes this situation so critical is that I observed this vulnerability present since at least version 1.3.0, and it is still sitting right there in the latest stable release. If an installation has not applied a custom patch, it is entirely exposed to attacks.
I can reproduce the issue every single time simply by manipulating request parameters that fail to validate against the admin middleware. This consistent reproducibility confirms to me that the problem is a systemic weakness rather than just a one off edge case.
This is actually my second public report regarding security matters in Bagisto. My first report, which I submitted in 2024, highlighted a potential browser cookie stealing vulnerability. That issue remains unaddressed in the current release. The persistence of these security gaps tells me that a much more proactive security response process is urgently needed.
My goal in publishing this information is absolutely not to discredit the project. Instead, I want developers, merchants, and the broader community to understand the risk so they can take protective action right away. Prompt remediation is essential if we want to keep trust and protect the data of countless online stores relying on Bagisto.
To address this systemic problem, I am requesting the following actions from the maintainers:
- Conduct a thorough security audit
The maintainers must review the affected component and all related authentication pathways. - Release a patched version
A new release is required to resolve the admin bypass vulnerability and any related issues. - Provide clear guidance to users
Merchants and developers need clear instructions on how to apply the fix and verify that their installations are secure. - Establish a transparent disclosure process
The project needs a structured way to ensure timely communication of future security findings.
I am fully ready to collaborate with the Bagisto maintainers to validate the fix and share any additional details required for a swift resolution. I believe working together is the best way to secure the ecosystem.