An issue in Erick xmall v.1.1 and before allows a remote attacker to escalate privileges via the updateAddress method of the Address Controller class.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.