CVE-2025-60784

Name of the Vulnerable Software and Affected Versions XiaozhangBang Voluntary Like System version 8.8

Description A flaw exists in the XiaozhangBang Voluntary Like System version 8.8 that allows remote attackers to manipulate the zhekou parameter within the /topfirst.php Pay module. By sending a specially crafted HTTP POST request with zhekou set to a low value, an attacker can acquire votes at a reduced price. Modifying the zid parameter allows attackers to affect purchases made by other users, increasing the impact. This is due to inadequate server-side validation of these parameters, potentially resulting in financial loss and manipulation of vote totals. The vulnerable API endpoint is /topfirst.php.

Recommendations Versions prior to 8.8 should be used.