Auth Bypass in newbee-mall-plus 2.4.1 via executeSeckill userid
CVE-2025-12854 Published on November 7, 2025
newbee-mall-plus seckillExecution executeSeckill authorization
A vulnerability was identified in newbee-mall-plus up to 2.4.1. This vulnerability affects the function executeSeckill of the file /seckillExecution/. The manipulation of the argument userid leads to authorization bypass. It is possible to initiate the attack remotely. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
What is an Insecure Direct Object Reference / IDOR Vulnerability?
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CVE-2025-12854 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-12854 has been classified to as an AuthZ vulnerability or weakness.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.