CVE-2025-22385

Name of the Vulnerable Software and Affected Versions Optimizely Configured Commerce versions prior to 5.2.2408

Description An issue was discovered in Optimizely Configured Commerce where the Commerce B2B application does not require email confirmation for newly created accounts. This allows the mass creation of accounts, potentially affecting database storage, and enabling the creation of non-requested storefront accounts on behalf of visitors.

Recommendations For versions prior to 5.2.2408, update to version 5.2.2408 or later to resolve the issue. As a temporary workaround, consider implementing email confirmation for newly created accounts to prevent mass account creation. Restrict access to account creation features to minimize the risk of exploitation.