Authorization Bypass in newbee-mall-plus by Vendor
CVE-2025-12854

6.3MEDIUM

Key Information:

Vendor

newbee

Status
Newbee-mall-plus
Vendor
CVE Published:
7 November 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-12854?

The newbee-mall-plus software, up to version 2.4.1, has an authorization bypass vulnerability in the executeSeckill function located within the /seckillExecution/ file. This flaw allows an attacker to manipulate the userid argument, potentially enabling unauthorized access to sensitive functionalities of the application. The vulnerability can be exploited remotely, presenting a risk to users of the affected software. Despite the high complexity required to execute the attack, the exploit is publicly available, heightening the urgency for users to take necessary precautions.

Affected Version(s)

newbee-mall-plus 2.4.0

newbee-mall-plus 2.4.1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-12854 - Proof of Concept

References

https://vuldb.com/?id.331500
vdb-entrytechnical-description
https://vuldb.com/?ctiid.331500
signaturepermissions-required
https://vuldb.com/?submit.679281
third-party-advisory

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

huangweigang (VulDB User)
JSON
.
CVE-2025-12854 : Authorization Bypass in newbee-mall-plus by Vendor