macrozheng mall Order Return IDOR Vulnerability
A vulnerability was identified in macrozheng mall up to 1.0.3. This impacts an unknown function of the file /returnApply/create of the component Portal Endpoint. The manipulation of the argument orderId leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor deleted the GitHub issue for this vulnerability without any explanation.
Quick answer
macrozheng mall should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- macrozheng mall up to 1.0.3
Fixed versions
- Apply the latest trusted upstream patch or restrict the endpoint
How to fix it
macrozheng mall up to 1.0.3 is affected by an access-control issue in /returnApply/create where orderId can be manipulated. Patch the endpoint so users can only act on orders they own or are authorized to manage. Review order return data for unauthorized modifications.
- Inventory macrozheng mall deployments and confirm whether /returnApply/create is exposed.
- Update to the latest trusted upstream patch or apply a local authorization fix for the endpoint.
- Enforce server-side ownership checks for orderId before creating return applications.
- Restrict the return application endpoint behind authenticated sessions and CSRF protection.
- Review order return records for users acting on orders they should not control.
- Invalidate sessions and rotate administrator credentials if abuse is detected.
- Add regression tests for normal users, merchants, and administrators around order return creation.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm the endpoint rejects orderId values for orders outside the current user scope.
- Validate a normal user cannot create return applications for another user order.
- Review application and database logs for suspicious returnApply/create calls.
- Test legitimate return workflows after patching.
- Run a Fixnx scan and confirm no unauthenticated order return endpoint is exposed.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15186?
macrozheng mall versions listed as affected should be reviewed: macrozheng mall up to 1.0.3.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
