CVE-2025-59413
published 2025-09-22CVE-2025-59413: CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to…
PriorityP338medium6.5CVSS 3.1
AVNACLPRNUINSUCNILAL
EPSS
0.37%
29.2th percentile
CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cubecart | cubecart | < 6.5.11 | 6.5.11 |
| cubecart | v6 | < 6.5.11 | 6.5.11 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79https://github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271https://github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128https://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7fhttps://github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7f
2025-09-22
Published