Could you post more details about what this is impacting?
Not asking about the exploit mechanism but what is it impacting?
For example is the issue that registered users can delete other registered user's products without said addition (or is anyone referring to guests as well)?
Does that apply if user's don't have the ability to edit/post products in the first place (only admin posting of products for example)?
Or does this apply to user reviews/comments as well?