Vulnerability Overview Goguc CMS v4.08.18 contains a Mass Assignment vulnerability in the endpoint. Attackers can inject the parameter into user registration requests to bypass permission verification, escalating a standard user's privileges to VIP status, thereby gaining elevated access to restricted assets. Scope of Impact Affected Software: Goguc CMS Affected Versions: v4.08.18 CVSS Score: 8.2 (High) Remediation In the function within the file, the code directly utilizes the user-supplied for database insertion. Recommended Mitigation Measures: 1. Whitelist Mechanism: Before inserting parameters into the database, allow only specific fields (e.g., , , , etc.) and explicitly remove or ignore the field. 2. Hardcoded Default Value: In the insertion statement, hardcode the value to a default (e.g., 0) instead of using . POC / Exploitation Steps 1. Step 1: Create a new user account. 2. Step 2: Use Burp Suite (BS) to intercept the registration request and add the parameter to the request payload (e.g., set it to the value corresponding to VIP). Relevant Code Snippet (Login.php):**