CVE-2025-47272 is a vulnerability identified in the CE Phoenix eCommerce platform, specifically affecting versions from 1.0.9.7 up to but not including 1.1.0.3. The issue is categorized under CWE-306, which refers to missing authentication for critical functions. In this case, the vulnerability allows any logged-in user to delete their account without needing to re-authenticate by providing their password. This lack of a re-authentication step means that if an attacker gains temporary access to an authenticated session—such as on a shared or public computer—they can permanently delete the user’s account without knowing the account password. The vulnerability does not affect confidentiality or integrity directly but severely impacts availability by enabling account deletion without proper authorization checks. The CVSS v3.1 score is 5.5 (medium severity), reflecting the local attack vector (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no impact on confidentiality or integrity (C:N/I:N), but high impact on availability (A:H). The vulnerability was patched in version 1.1.0.3 of PhoenixCart. No known exploits are currently reported in the wild. The core technical issue is the absence of a password re-authentication step before performing the critical function of account deletion, which is a best practice to prevent unauthorized destructive actions within authenticated sessions.

For European organizations using the CE Phoenix eCommerce platform, this vulnerability poses a risk of account loss and disruption of user services. Attackers with temporary access to authenticated sessions—such as through physical access to shared terminals, session hijacking, or insufficient session management—could delete user accounts, leading to loss of customer data, disruption of business operations, and potential reputational damage. While the vulnerability does not lead to data leakage or unauthorized data modification, the permanent deletion of accounts can cause significant operational impact, especially for businesses relying on customer accounts for transactions and loyalty programs. Additionally, recovery from such deletions may require manual intervention or restoration from backups, increasing operational costs. The medium severity rating suggests moderate urgency, but organizations with high user traffic or sensitive customer data should prioritize remediation to avoid service disruption and customer dissatisfaction.

European organizations should immediately upgrade CE PhoenixCart installations to version 1.1.0.3 or later, where the patch addressing this vulnerability is implemented. Until the upgrade is applied, organizations should enforce strict session management policies, including automatic session timeouts and logout on shared or public terminals. Implementing multi-factor authentication (MFA) can reduce the risk of session hijacking. Additionally, organizations should educate users about logging out from public or shared devices and monitor for unusual account deletion activities. Web application firewalls (WAFs) can be configured to detect and block suspicious account deletion requests if feasible. Finally, regular backups of user account data should be maintained to enable recovery in case of unauthorized deletions.