CVE-2025-65647 identifies an Insecure Direct Object Reference (IDOR) vulnerability in the Track order function of the PHPGURUKUL Online Shopping Portal version 2.1. IDOR vulnerabilities occur when an application exposes internal implementation objects, such as database keys or file names, without proper authorization checks. In this case, the 'oid' parameter, presumably representing an order identifier, can be manipulated by an attacker to access information related to other orders. The vulnerability allows information disclosure, impacting confidentiality, but does not affect data integrity or system availability. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates that the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), and no user interaction. The vulnerability is classified under CWE-639, which relates to authorization bypass through improper access control on object references. No patches or known exploits are currently available, suggesting this is a newly published vulnerability. The lack of affected version details implies the need for organizations to verify their use of PHPGURUKUL Online Shopping Portal 2.1 or related versions. The vulnerability's exploitation could lead to unauthorized disclosure of order information, potentially exposing customer data and order details.

For European organizations using PHPGURUKUL Online Shopping Portal 2.1, this vulnerability could lead to unauthorized disclosure of customer order information, violating data privacy regulations such as GDPR. Exposure of order details may include personally identifiable information (PII), order contents, and transaction history, which could be leveraged for fraud, social engineering, or reputational damage. Although the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can have significant compliance and trust implications. The medium severity reflects limited impact scope but notable risk due to ease of exploitation by authenticated users. Retailers and e-commerce businesses in Europe relying on this platform are particularly at risk, especially those handling large volumes of customer data. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks. Organizations failing to address this vulnerability may face regulatory penalties and loss of customer confidence.

1. Implement strict access control checks on the 'oid' parameter to ensure users can only access their own order information. 2. Enforce server-side authorization validation before returning any order-related data. 3. Conduct code reviews and penetration testing focusing on IDOR vulnerabilities in all object reference parameters. 4. If possible, apply patches or updates from PHPGURUKUL once available; in the meantime, consider temporary workarounds such as session-based order tracking. 5. Log and monitor access to order tracking endpoints to detect unusual access patterns or attempts to enumerate order IDs. 6. Educate developers on secure coding practices related to object references and authorization. 7. Review and update privacy policies and incident response plans to address potential data disclosure incidents. 8. Restrict API or web interface access to authenticated and authorized users only, minimizing exposure.