CVE-2025-65647 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the Track order function of the PHPGURUKUL Online Shopping Portal version 2.1. The vulnerability arises due to insufficient access control validation on the 'oid' (order ID) parameter, allowing an attacker with limited privileges (PR:L) to directly manipulate this parameter to access order information that they are not authorized to view. This flaw leads to unauthorized information disclosure, compromising the confidentiality of order data. The vulnerability does not affect data integrity or availability and does not require user interaction (UI:N), making it remotely exploitable over the network (AV:N) with low attack complexity (AC:L). The CVSS v3.1 base score is 4.3, reflecting a medium severity level. No patches or known exploits are currently available, indicating that organizations using this software should proactively assess and remediate the issue. The vulnerability is classified under CWE-639, which pertains to authorization bypass through improper validation of object references. Since the affected versions are unspecified, it is critical for users of PHPGURUKUL Online Shopping Portal to verify their version and implement access control checks on the 'oid' parameter to prevent unauthorized data exposure.

The primary impact of CVE-2025-65647 is unauthorized disclosure of order information, which can include sensitive customer data such as personal details, purchase history, and possibly payment information depending on the implementation. For European organizations, this breach of confidentiality can lead to violations of GDPR and other data protection regulations, resulting in legal penalties and reputational damage. Although the vulnerability does not affect system integrity or availability, the exposure of customer data can undermine trust in e-commerce platforms and lead to financial losses through customer churn or regulatory fines. The ease of exploitation and remote accessibility increase the risk of widespread unauthorized data access if left unmitigated. Organizations relying on PHPGURUKUL Online Shopping Portal for their e-commerce operations should consider the potential for targeted attacks aiming to harvest customer data, especially in sectors with high transaction volumes.

To mitigate CVE-2025-65647, organizations should implement strict access control mechanisms on the 'oid' parameter within the Track order function. This includes validating that the requesting user is authorized to access the specific order ID by verifying ownership or appropriate permissions before disclosing any order information. Employing parameterized queries and avoiding direct object references in URLs can reduce the risk of IDOR vulnerabilities. Additionally, implementing logging and monitoring of access to order tracking endpoints can help detect anomalous access patterns indicative of exploitation attempts. Since no official patches are currently available, organizations should consider applying custom code fixes or workarounds to enforce authorization checks. Regular security assessments and code reviews focused on access control logic are recommended to prevent similar vulnerabilities. Finally, educating developers on secure coding practices related to object reference handling will help reduce future risks.