CVE-2025-13443
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in macrozheng mall up to 1.0.3. Affected by this issue is the function delete of the file /member/readHistory/delete. Performing manipulation of the argument ids results in improper access controls. Remote exploitation of the attack is possible. The exploit is now public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-11-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13443
EUVD
EUVD-2025-198254
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
macrozheng mall to 1.0.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in macrozheng mall up to version 1.0.3, specifically in the delete function of the /member/readHistory/delete API endpoint. It is an improper access control issue where the system does not verify if the 'ids' parameter for deletion belongs to the authenticated user. As a result, an attacker logged in as one user can manipulate the 'ids' parameter to delete read history entries of other users without authorization, causing unauthorized data deletion. [1]

Impact Analysis

This vulnerability can lead to unauthorized deletion of user data, specifically the read history entries of other users. An attacker can exploit this to delete or tamper with data they should not have access to, potentially causing data loss, user confusion, and undermining trust in the application’s data integrity and security. [1]

Detection Guidance

This vulnerability can be detected by monitoring and analyzing HTTP POST requests to the endpoint /member/readHistory/delete, specifically looking for manipulation of the 'ids' parameter. You can use tools like curl or intercepting proxies (e.g., Burp Suite) to capture and modify requests to test if the system improperly allows deletion of read history entries not belonging to the authenticated user. For example, a curl command to test might be: curl -X POST -d 'ids=<other_user_ids>' https://<target>/member/readHistory/delete -H 'Cookie: <user_session_cookie>'. Additionally, reviewing server logs for unexpected deletion requests or responses indicating successful deletion of other users' data can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /member/readHistory/delete endpoint to ensure that the 'ids' parameter is properly validated against the authenticated user's data. Implement strict access control checks on the server side to verify ownership of the read history entries before deletion. If possible, temporarily disable or restrict the vulnerable API endpoint until a patch or update is applied. Monitor logs for suspicious deletion activities and consider enforcing multi-factor authentication to reduce unauthorized access risks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13443. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart