CVE-2025-15087 is an improper authorization vulnerability found in the youlaitech youlai-mall e-commerce platform, specifically in versions 1.0.0 and 2.0.0. The flaw resides in the submitOrderPayment function within the OrderController.java source file, where the orderSn parameter is insufficiently validated or authorized. This allows an attacker to manipulate the orderSn argument remotely to bypass authorization checks, potentially submitting payment orders on behalf of other users or altering order payment status without proper permissions. The vulnerability requires no user interaction and no prior authentication, increasing its exploitability. The vendor was contacted but has not issued any patches or mitigations. The vulnerability has a CVSS 4.0 base score of 5.3, indicating medium severity, with an attack vector of network, low attack complexity, no privileges required, and no user interaction needed. The impact primarily affects the integrity and potentially the availability of order payment processing within the platform. No known exploits have been observed in the wild yet, but public disclosure increases the risk of exploitation. This vulnerability highlights the importance of robust authorization checks on critical e-commerce functions to prevent unauthorized financial transactions.

The improper authorization vulnerability in youlai-mall can lead to unauthorized submission or manipulation of order payments, potentially allowing attackers to interfere with financial transactions, cause fraudulent payments, or disrupt order processing. This can result in financial losses, reputational damage, and operational disruption for organizations using the affected platform. Since the vulnerability can be exploited remotely without authentication or user interaction, it poses a significant risk to any exposed youlai-mall installations. The integrity of order data and payment processes is directly impacted, and while availability impact is limited, unauthorized transactions could indirectly cause service disruptions or customer trust issues. Organizations relying on youlai-mall for e-commerce operations are at risk of fraud and operational compromise until the vulnerability is mitigated.

Organizations should immediately audit and restrict access to the submitOrderPayment function, implementing strict authorization checks to ensure that orderSn parameters correspond only to orders owned by the authenticated user or authorized entity. Network-level protections such as web application firewalls (WAFs) should be configured to detect and block suspicious manipulation of orderSn parameters. Monitoring and logging of order payment submissions should be enhanced to detect anomalous activity. If possible, disable or restrict remote access to the affected endpoints until a vendor patch or official fix is available. Organizations should also consider code review and patching to validate authorization logic rigorously. Engaging with the vendor for updates or applying community-developed patches is recommended. Finally, educating developers on secure coding practices around authorization can prevent similar issues.