CVE-2025-4119 is a vulnerability identified in Weitong Mall version 1.0.0, specifically within the Product Statistics Handler component at the /queryTotal endpoint. The flaw arises from improper access control mechanisms related to the manipulation of the 'isDelete' parameter. When an attacker remotely supplies the value '1' to this argument, it bypasses intended access restrictions, potentially allowing unauthorized access to product statistics data or related functionalities. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network with low attack complexity. The CVSS 4.0 base score is 6.9, categorized as medium severity, reflecting limited impact on confidentiality, integrity, and availability. The vulnerability does not appear to affect system integrity or availability directly but compromises access control, which could lead to unauthorized data exposure or unauthorized querying of product statistics. No public exploits are currently known in the wild, and no patches have been officially released by the vendor. The vulnerability was publicly disclosed on April 30, 2025, and is documented in the CVE database. The lack of authentication requirements and the remote attack vector make this vulnerability a concern for organizations using Weitong Mall 1.0.0, especially those relying on the affected component for critical business analytics or inventory management.

For European organizations deploying Weitong Mall 1.0.0, this vulnerability could lead to unauthorized access to sensitive product statistics or inventory data, potentially exposing business intelligence to competitors or malicious actors. While the vulnerability does not directly enable data modification or system disruption, unauthorized data access can facilitate further attacks such as social engineering, competitive intelligence gathering, or targeted fraud. Retailers and e-commerce platforms using this software might face reputational damage and loss of customer trust if sensitive operational data is leaked. Additionally, regulatory compliance risks arise under GDPR if personal or sensitive customer data is indirectly exposed through related queries or logs. The medium severity rating indicates that while the immediate risk is moderate, the potential for escalation or chaining with other vulnerabilities exists. Organizations relying heavily on Weitong Mall for product management should consider the risk of data leakage and the operational impact of unauthorized access to internal statistics.

1. Immediate mitigation should include implementing strict access control checks on the /queryTotal endpoint, ensuring that the 'isDelete' parameter cannot be manipulated to bypass authorization. 2. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests attempting to exploit this parameter. 3. Conduct a thorough code review of the Product Statistics Handler component to identify and remediate similar access control weaknesses. 4. Monitor logs for unusual access patterns or repeated queries to the /queryTotal endpoint with abnormal parameter values. 5. If possible, restrict access to the affected endpoint to authenticated and authorized users only, even if the application currently allows anonymous access. 6. Engage with the vendor to obtain patches or updates addressing this vulnerability and plan for timely deployment once available. 7. As a longer-term measure, implement robust input validation and parameter sanitization to prevent manipulation of critical arguments. 8. Consider network segmentation to limit exposure of the Weitong Mall application to trusted internal networks only, reducing the attack surface.