CubeCart Missing Authorization Vulnerability - CVE-2025-59413

CubeCart is an ecommerce software solution. Prior to version 6.5.11 a logic flaw exists in the newsletter subscription endpoint that allows an attacker to unsubscribe any user without their consent. By changing the value of the force_unsubscribe parameter in the POST request to 1 an attacker can force the removal of any valid subscribers email address. This issue has been patched in version 6.5.11.