Security Advisory: Incorrect Access Control in XiaozhangBang Voluntary Like System V8.8 Summary An Incorrect Access Control vulnerability has been identified in XiaozhangBang Voluntary Like System V8.8. The application fails to properly enforce server-side access control checks on critical parameters during the voting payment process. Specifically, the zhikou (discount) parameter can be modified by the client without validation, allowing unauthorized discounts and manipulation of the vote-purchasing mechanism. Additionally, an attacker can manipulate the zid parameter to influence purchases made by other users, further amplifying the impact. Affected Product Vendor: XiaozhangBang Product: Voluntary Like System Version: V8.8 (and possibly earlier versions) Component: Voting / Payment Module Impact Financial Loss: Unauthorized discounts lead to significant revenue loss. Integrity Violation: Attackers can unfairly manipulate vote counts for themselves and other users. CVSS v3.1 Score Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N Base Score: 7.1 (High) Reproduction Steps Step 1 - Purchase Votes An attacker modifies the zhikou parameter in the payment request. For example, changing zhikou=100 (full price) to zhikou=1 results in an unauthorized discount of 99%, effectively allowing the purchase at only 0.01 of the original price (e.g. 200 RMB reduced to 2 RMB). By also modifying the zid parameter, the attacker can manipulate purchases for other users. Step 2 - WeChat Pay The manipulated order is processed by the payment gateway with the unauthorized discounted price. Step 3 - Payment Confirmation The system confirms the payment and grants the attacker votes at the manipulated cost: Remediation Enforce strict server-side access control for all pricing and discount parameters. Do not rely on client-supplied values such as zhikou to calculate transaction amounts. Timeline 2025-08-21: Vulnerability discovered and verified. 2025-08-24: Public disclosure prepared. References CWE-284 (Improper Access Control): https://cwe.mitre.org/data/definitions/284.html CWE-285 (Improper Authorization): https://cwe.mitre.org/data/definitions/285.html