CVE-2025-59413
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
22/09/2025
Last modified:
23/09/2025
Description
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:cubecart:cubecart:*:*:*:*:*:*:*:* | 6.5.11 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79
- https://github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271
- https://github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128
- https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f
- https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f