Description
A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Published: 2026-03-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass resulting in unauthorized access to user order information
Action: Patch
AI Analysis

Impact

A flaw in MacCMS up to 2025.1000.4052 allows remote manipulation of the order_id argument in the order_info function of User.php, leading to an unauthorized bypass of access checks. This weakness permits an attacker to view or modify order details that should be protected by authentication, effectively exposing confidential customer data. The vulnerability is rooted in improper authorization checks, as identified by CWE-285 and CWE-639.

Affected Systems

MacCMS versions released before or equal to 2025.1000.4052 are affected. The attack targets the Member Order Detail Interface component, specifically the User.php controller handling order information. No other affected products or versions are listed.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. The exploit is available publicly and can be invoked remotely, increasing its risk floor. While the EPSS score is not available, the lack of KEV listing suggests the vulnerability has not yet been catalogued as a widely exploited weakness. Attackers would need remote access to the application and can supply crafted order_id parameters to bypass authorization checks, making the exploitation straightforward for those with network reach to the system.

Generated by OpenCVE AI on March 23, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MacCMS patch (release 2025.1000.4052 or later) to eliminate the order_id handling flaw.
  • Verify that order_id parameters are correctly validated and bound to the authenticated user's context.
  • Monitor for anomalous access patterns to order information and restrict API permissions as a temporary control.
  • Keep the system and its components up to date by checking the vendor’s update announcements regularly.

Generated by OpenCVE AI on March 23, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 01:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in MacCMS up to 2025.1000.4052. This vulnerability affects the function order_info of the file application/index/controller/User.php of the component Member Order Detail Interface. This manipulation of the argument order_id causes authorization bypass. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.
Title MacCMS Member Order Detail User.php order_info authorization
First Time appeared Maccms
Maccms maccms
Weaknesses CWE-285
CWE-639
CPEs cpe:2.3:a:maccms:maccms:*:*:*:*:*:*:*:*
Vendors & Products Maccms
Maccms maccms
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Maccms Maccms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-25T13:53:02.294Z

Reserved: 2026-03-22T08:20:25.349Z

Link: CVE-2026-4563

cve-icon Vulnrichment

Updated: 2026-03-25T13:52:58.414Z

cve-icon NVD

Status : Deferred

Published: 2026-03-23T00:16:51.893

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-4563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:19Z

Weaknesses