Login Sign Up

CVE-2025-13239

4.3 MEDIUM

📋 TL;DR

This vulnerability in Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution 5 allows attackers to manipulate checkout parameters (order_total_amount/cart_total_amount) to enforce behavioral workflow. It affects systems running the vulnerable software and can be exploited remotely. The vendor has not responded to disclosure attempts.

💻 Affected Systems

Products:
  • Bdtask/CodeCanyon Isshue Multi Store eCommerce Shopping Cart Solution
Versions: Version 5
Operating Systems: Any OS running the vulnerable software
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /submit_checkout endpoint functionality. All installations of version 5 are vulnerable unless specifically hardened.

📦 What is this software?

Isshue by Bdtask

View all CVEs affecting Isshue →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could manipulate pricing, order processing, or workflow enforcement leading to financial loss, data integrity issues, or unauthorized order modifications.

🟠

Likely Case

Price manipulation during checkout, potentially allowing attackers to purchase items at incorrect prices or bypass payment validation.

🟢

If Mitigated

Limited impact if proper input validation and business logic controls are in place to verify order amounts server-side.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details are publicly available in GitHub PoC repositories. Attack requires manipulation of checkout parameters which is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider alternative ecommerce solutions or implement custom fixes with proper input validation.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation of order_total_amount and cart_total_amount parameters to ensure they match calculated values.

Web Application Firewall Rules

all

Deploy WAF rules to block suspicious parameter manipulation in /submit_checkout requests.

🧯 If You Can't Patch

  • Disable or restrict access to the /submit_checkout endpoint if not essential
  • Implement additional server-side business logic validation for all checkout transactions

🔍 How to Verify

Check if Vulnerable:

Test if manipulating order_total_amount or cart_total_amount parameters in /submit_checkout requests bypasses validation.

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify that parameter manipulation no longer affects checkout processing and all amounts are validated server-side.

📡 Detection & Monitoring

Log Indicators:

  • Unusual order_total_amount values in checkout logs
  • Mismatch between submitted and calculated order amounts

Network Indicators:

  • HTTP POST requests to /submit_checkout with modified amount parameters

SIEM Query:

source="web_logs" AND uri_path="/submit_checkout" AND (order_total_amount!=* OR cart_total_amount!=*)

📊 Metadata

CVE ID: CVE-2025-13239
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-840
EPSS Score: 0.08% exploit probability (22.5th percentile)
Published: November 16, 2025
Last Updated: November 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13239, you might also want to check these:

CVE-2022-32207 9.8

CVE-2022-32207 is a privilege escalation vulnerability in curl versions before 7.84.0 where file per...

Same vulnerability type (CWE-840)
CVE-2024-39671 9.3

This CVE describes an access control vulnerability in Huawei's security verification module that cou...

Same vulnerability type (CWE-840)
CVE-2023-6514 8.8

This vulnerability allows attackers to bypass Bluetooth authentication on certain Huawei Smart Scree...

Same vulnerability type (CWE-840)