CVE-2025-13443 is a vulnerability identified in macrozheng mall, an e-commerce platform, affecting versions 1.0.0 through 1.0.3. The issue lies in the improper access control of the delete function located at the /member/readHistory/delete API endpoint. Specifically, the vulnerability arises from insufficient validation of the 'ids' parameter, which attackers can manipulate remotely to delete read history records of users without proper authorization. The vulnerability is exploitable over the network (AV:N) with low attack complexity (AC:L), requiring no user interaction (UI:N) and no authentication (AT:N), but the attacker must have low privileges (PR:L). The impact primarily affects integrity and availability, as unauthorized deletion of user data can disrupt service and compromise data accuracy. The CVSS 4.0 base score is 5.3, reflecting a medium severity level. Although no known exploits are currently active in the wild, the public disclosure of exploit details increases the risk of exploitation. The vulnerability does not affect confidentiality or system control but can degrade user trust and service reliability. The lack of vendor patches at the time of disclosure necessitates immediate mitigation efforts by administrators.

For European organizations using macrozheng mall, this vulnerability poses a risk of unauthorized deletion of user read history data, which can impact data integrity and availability of user-related services. This may lead to operational disruptions, loss of user trust, and potential compliance issues under data protection regulations like GDPR if user data is improperly handled or lost. Retailers and e-commerce businesses relying on macrozheng mall could face service degradation or customer dissatisfaction. Although the vulnerability does not directly expose sensitive data, the ability to manipulate user data without authorization can be leveraged in broader attack chains or to cover tracks after other malicious activities. The medium severity rating suggests moderate risk, but the public availability of exploit information increases urgency for mitigation. Organizations with large user bases or those in regulated sectors should prioritize addressing this vulnerability to maintain service integrity and compliance.

1. Immediately audit and restrict access controls on the /member/readHistory/delete endpoint to ensure only authorized users can perform delete operations. 2. Implement server-side validation of the 'ids' parameter to verify ownership and authorization before processing delete requests. 3. Monitor logs for unusual or excessive delete requests targeting read history data to detect potential exploitation attempts. 4. Apply any vendor-provided patches or updates as soon as they become available. 5. If patches are not yet available, consider implementing temporary compensating controls such as rate limiting, IP filtering, or requiring stronger authentication for delete operations. 6. Educate development and security teams about secure coding practices to prevent similar access control issues in future releases. 7. Conduct penetration testing focused on access control enforcement to identify and remediate related vulnerabilities.