CVE-2025-59413 MEDIUM

CVE-2025-59413: CubeCart Unauthorized Newsletter Unsubscription via force_unsubscribe Parameter

Vendor Cubecart

Product v6

Weakness CWE-862 · Missing authorization

Published September 22, 2025

Last update September 22, 2025

View on NVD All CVEs

CVSS base score

6.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.

Key dates

02Disclosure timeline

September 22, 2025 CVE published

September 22, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59413 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2023-34003 WordPress WooCommerce Box Office plugin <= 1.1.51 - Unauthenticated Save Ticket Barcode vulnerability CVE-2025-58635 WordPress Support Genix Plugin <= 1.4.23 - Broken Access Control Vulnerability CVE-2025-57975 WordPress Team Plugin <= 5.0.6 - Broken Access Control Vulnerability CVE-2025-3437 Motors – Car Dealership & Classified Listings Plugin <= 1.4.66 - Missing Authorization to Authenticated (Subscriber+) Wizard Set-up CVE-2025-30592 WordPress Advanced Dewplayer - plugin <= 1.6 Broken Access Control Vulnerability