Unrated severityNVD Advisory· Published Sep 22, 2025· Updated Sep 22, 2025

CubeCart Unauthorized Newsletter Unsubscription via force_unsubscribe Parameter

CVE-2025-59413

Description

CubeCart is an ecommerce software solution. Prior to version 6.5.11, a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1, an attacker can force the removal of any valid subscriber’s email address. This issue has been patched in version 6.5.11.

Affected products

Cubecart/Cubecartllm-fuzzy
Range: <6.5.11
cubecart/v6v5
Range: < 6.5.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cubecart/v6/commit/7fd1cd04f5d5c3ce1d7980327464f0ff6551de79mitrex_refsource_MISC
github.com/cubecart/v6/commit/db965fcfa260c4f17eb16f8c5494e5af4a8ac271mitrex_refsource_MISC
github.com/cubecart/v6/commit/dbc58cf1f7a6291f7add5893b56bff7920a29128mitrex_refsource_MISC
github.com/cubecart/v6/security/advisories/GHSA-869v-gjv8-9m7fmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000