Is there a public PoC exploit available for CVE-2025-15118?

Yes, a public proof-of-concept exploit is available for CVE-2025-15118. Prioritise patching immediately. EPSS: 0.0%.

macrozheng mall CVE-2025-15118

Q: What is the CVSS score of CVE-2025-15118?

CVE-2025-15118 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Incorrect Privilege Assignment (CWE-266)

2025-12-28 cna@vuldb.com

Information Disclosure Mall

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 03:02 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in macrozheng mall up to 1.0.3. This vulnerability affects unknown code of the file /member/address/update/ of the component Member Endpoint. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

AnalysisAI

Improper authorization in macrozheng mall up to version 1.0.3 allows authenticated remote attackers to modify member address information via the /member/address/update/ endpoint, resulting in unauthorized data manipulation. The vulnerability affects the Member Endpoint component and has publicly available exploit code, though real-world exploitation risk is low based on EPSS scoring (0.05%, 14th percentile) and the requirement for prior authentication.

Technical ContextAI

The vulnerability exists in the Member Endpoint component, specifically the /member/address/update/ API endpoint, and is classified under CWE-266 (Improper Privilege Management). The issue stems from insufficient authorization checks that allow authenticated users to perform actions beyond their intended privilege level. The endpoint fails to properly validate that the user attempting to update an address has the appropriate permissions or ownership rights to modify that specific resource. This is a common pattern in e-commerce platforms where member/user endpoints may not sufficiently segregate data access controls based on user identity or role.

RemediationAI

Apply a patched version of macrozheng mall released after version 1.0.3 that includes authorization checks in the /member/address/update/ endpoint. Verify the specific patched version with the vendor (macrozheng project) via their official repository or advisory channels, as no exact fix version was identified in available references. As a temporary compensating control, restrict access to the /member/address/update/ endpoint to trusted networks only or implement API gateway-level rate limiting and request validation. Monitor address update requests for suspicious patterns (e.g., users modifying addresses they do not own, bulk updates, or updates at unusual times). If patching is delayed, consider implementing additional authorization middleware that validates the requesting user's ownership or administrative role for the address being modified, with the trade-off that this may require application-level code changes and testing.

CVE-2025-15118 vulnerability details – vuln.today

Back