Security Advisory - Published 2026-06-08 - Payment webhook
BeikeShop Stripe CVE-2026-11462: Webhook Signature Self-Check
CVE-2026-11462 affects the Stripe payment plugin in BeikeShop. The risky path is
the Stripe callback handler: if it processes webhook data without verifying the
Stripe-Signature header, an order can be moved into a paid state
even when Stripe did not confirm the payment.
What is affected
- Product: BeikeShop with the Stripe payment plugin enabled
- CVE: CVE-2026-11462
- Weakness: missing or improper Stripe webhook signature verification
- Component:
plugins/Stripe/Controllers/StripeController.php - Callback route: Stripe payment callback / webhook route
- Reported affected versions: BeikeShop through 1.6.0 / 1.6.0.22 in public references
- Public exploit signal: yes
- Known exploited in CISA KEV: no, as of this publication
The upstream fix adds webhook-secret configuration, reads the
Stripe-Signature header, and uses Stripe's webhook verification path
before converting the event into order data. That is the correct shape: Stripe
callbacks should be treated as untrusted input until their signature is verified.
Why store owners should care
A payment webhook is not just another form submit. Your store uses it as proof that Stripe accepted money. If the callback accepts unsigned JSON, the practical damage can be very ordinary and very expensive: shipped products, unlocked downloads, false revenue numbers, support refunds, and a messy accounting trail.
10-minute self-check
Step 1: Confirm BeikeShop and Stripe are in use
Check your store admin, deployment notes, plugin list, or source tree. If the Stripe plugin is not installed or not enabled, this specific callback issue is not your active payment path.
Step 2: Look for signature verification in the Stripe plugin
From the BeikeShop application root, search the Stripe plugin code:
cd /path/to/beikeshop
grep -R "webhook_secret\|Stripe-Signature\|Webhook::constructEvent" plugins/Stripe -n A patched implementation should have a webhook secret setting and should call Stripe's webhook construction / signature verification function before it trusts the callback event. If none of those strings appear, treat the store as unpatched until a developer confirms otherwise.
Step 3: Confirm the Stripe webhook secret is configured
In Stripe Dashboard, open the webhook endpoint used by BeikeShop and reveal the
endpoint signing secret. It should start with whsec_. Do not paste a
live API key such as sk_live_ into the webhook-secret field. The
webhook secret and the API secret are different credentials.
Step 4: Review callback logs
Search web-server logs for Stripe callback traffic:
grep -R "/callback/stripe" /var/log/nginx /var/log/apache2 /usr/local/apache/logs 2>/dev/null Then search application logs for failed or missing signature messages:
grep -R "Stripe callback missing signature\|Stripe signature verification failed\|webhook secret" storage/logs 2>/dev/null Failed signatures after patching can be normal if scanners are testing the route. Successful paid-order transitions before you had signature verification deserve a closer look.
Step 5: Match paid orders against Stripe
Pick recent paid orders and compare them with Stripe Dashboard. Focus on these patterns:
- Order marked paid in BeikeShop, but no matching Stripe payment exists
- Amount or currency differs between BeikeShop and Stripe
- Paid-state transition happened right after unusual callback traffic
- Digital goods, license keys, or fulfillment were released automatically
- Callbacks came from networks that do not match your normal Stripe traffic pattern
Safe fix path
- Patch BeikeShop and the Stripe plugin. Use the vendor's fixed code path that verifies webhook signatures.
- Configure the webhook signing secret. Use the
whsec_secret from the exact Stripe webhook endpoint used by the store. - Test with Stripe's dashboard tools. A legitimate test event should pass; a request without a valid signature should fail.
- Review recent paid orders. Reconcile BeikeShop paid orders against Stripe before shipping delayed orders.
- Rotate exposed secrets. If API keys or webhook secrets were pasted into the wrong field, rotate them in Stripe.
- Preserve logs. Keep web and application logs before cleanup if you suspect unpaid orders were marked paid.
Temporary mitigation
If you cannot patch immediately, disable Stripe payments temporarily or switch to manual order review. Do not blindly block the callback route without testing: blocking every callback can stop legitimate payments from confirming and create a different support problem.
When to treat this as an incident
- The store accepted Stripe payments before signature verification was in place.
- Unknown IPs hit the callback route before or during paid-order transitions.
- Paid orders do not match Stripe payment records.
- Automatic fulfillment released goods, downloads, or license keys.
- You cannot tell whether the webhook secret was configured correctly.
Ping7 repair path
Ping7 can run a defensive BeikeShop payment-callback review: confirm the patch, verify webhook-secret configuration, search callback logs, and reconcile suspicious paid orders. Start from CVE Repair and include the domain, BeikeShop version, and whether Stripe is currently enabled.