A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts.
References
| Link | Resource |
|---|---|
| https://github.com/GoogTech/CVE/blob/master/Incorrect%20Access%20Control/Incorrect-Access-Control-in-XiaozhangBang-Voluntary-Like-System-V8.8.md | Exploit Third Party Advisory |
| https://github.com/GoogTech/CVE/blob/master/Incorrect-Access-Control-in-XiaozhangBang-Voluntary-Like-System-V8.8.md | Exploit Third Party Advisory |
Configurations
History
09 Jan 2026, 17:37
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Xiaozhangbang
Xiaozhangbang voluntary Like System |
|
| CPE | cpe:2.3:a:xiaozhangbang:voluntary_like_system:8.8:*:*:*:*:*:*:* | |
| References | () https://github.com/GoogTech/CVE/blob/master/Incorrect%20Access%20Control/Incorrect-Access-Control-in-XiaozhangBang-Voluntary-Like-System-V8.8.md - Exploit, Third Party Advisory | |
| References | () https://github.com/GoogTech/CVE/blob/master/Incorrect-Access-Control-in-XiaozhangBang-Voluntary-Like-System-V8.8.md - Exploit, Third Party Advisory |
05 Nov 2025, 21:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-11-05 21:15
Updated : 2026-01-09 17:37
NVD link : CVE-2025-60784
Mitre link : CVE-2025-60784
CVE.ORG link : CVE-2025-60784
JSON object : View
Products Affected
xiaozhangbang
- voluntary_like_system