CVE-2025-59335 – CubeCart ecommerce software versions before 6.5... (How to Fix)

Q: What is the severity of CVE-2025-59335?

CVE-2025-59335 has a CVSS score of 7.1 (HIGH). CubeCart ecommerce software versions before 6.5.11 fail to automatically expire user sessions after password changes. This allows attackers who have compromised an account to maintain access even after the legitimate user changes their password, as the attacker's session remains active. All CubeCart installations running vulnerable versions are affected.

📋 TL;DR

CubeCart ecommerce software versions before 6.5.11 fail to automatically expire user sessions after password changes. This allows attackers who have compromised an account to maintain access even after the legitimate user changes their password, as the attacker's session remains active. All CubeCart installations running vulnerable versions are affected.

💻 Affected Systems

Products:

CubeCart

Versions: All versions prior to 6.5.11

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All CubeCart installations with user accounts are vulnerable; no special configuration required.

📦 What is this software?

Cubecart by Cubecart

View all CVEs affecting Cubecart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Account takeover persists indefinitely despite password changes, enabling attackers to steal sensitive customer data, modify orders, access payment information, and maintain persistent control over compromised accounts.

🟠

Likely Case

Attackers maintain unauthorized access to user accounts for extended periods, potentially accessing personal information, order history, and performing fraudulent transactions.

🟢

If Mitigated

With proper session management controls, attackers lose access immediately upon password change, limiting exposure to the initial compromise window.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial account compromise through other means (phishing, credential stuffing, etc.), but maintaining access after password change is trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.11

Vendor Advisory: https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv

Restart Required: No

Instructions:

1. Backup your CubeCart installation and database. 2. Download version 6.5.11 from the official CubeCart repository. 3. Replace all files with the patched version. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Manual Session Invalidation

all

Manually invalidate all active sessions after password changes by clearing session data

DELETE FROM CubeCart_sessions WHERE user_id = [USER_ID];

Reduce Session Lifetime

all

Configure shorter session timeout values to limit exposure window

Modify session.gc_maxlifetime in php.ini or .htaccess to reduce session duration

🧯 If You Can't Patch

Force all users to log out and create new sessions immediately
Implement additional authentication factors for sensitive operations

🔍 How to Verify

Check if Vulnerable:

Check CubeCart version in admin panel or examine /includes/global.inc.php for version number

Check Version:

grep -i 'version' /path/to/cubecart/includes/global.inc.php | head -1

Verify Fix Applied:

After updating to 6.5.11, test by changing a user password and verifying active sessions are terminated

📡 Detection & Monitoring

Log Indicators:

Multiple concurrent sessions from different IPs for same user account
Password change events followed by continued session activity from old IPs

Network Indicators:

Unusual login patterns with same session IDs persisting across password changes

SIEM Query:

source="cubecart_logs" (event="password_change") AND (same session_id before AND after change)

📊 Metadata

CVE ID: CVE-2025-59335

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-613

EPSS Score: 0.02% exploit probability (4.3th percentile)

Published: September 22, 2025

Last Updated: September 23, 2025

🔗 References

https://github.com/cubecart/v6/commit/4bfaeb4485dd82255a108940a163af5ba4583b52 Patch
https://github.com/cubecart/v6/commit/62d9be8416aa6fd7343f8932d98c5b112b163e26 Patch
https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv Exploit,Vendor Advisory
https://github.com/cubecart/v6/security/advisories/GHSA-4vwh-x8m2-fmvv Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59335, you might also want to check these: