CVE-2025-60784
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-60784, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-05

Last updated on: 2025-11-06

Assigner: MITRE

Description

A vulnerability in the XiaozhangBang Voluntary Like System V8.8 allows remote attackers to manipulate the zhekou parameter in the /topfirst.php Pay module, enabling unauthorized discounts. By sending a crafted HTTP POST request with zhekou set to an abnormally low value, an attacker can purchase votes at a reduced cost. Furthermore, by modifying the zid parameter, attackers can influence purchases made by other users, amplifying the impact. This issue stems from insufficient server-side validation of these parameters, potentially leading to economic loss and unfair manipulation of vote counts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-05
Last Modified
2025-11-06
Generated
2026-07-06
AI Q&A
2025-11-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
xiaozhangbang voluntary_like_system 8.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the XiaozhangBang Voluntary Like System V8.8, where remote attackers can manipulate the 'zhekou' parameter in the /topfirst.php Pay module by sending crafted HTTP POST requests. This allows them to set an abnormally low discount value, enabling unauthorized discounts on purchases. Additionally, by modifying the 'zid' parameter, attackers can affect purchases made by other users. The root cause is insufficient server-side validation of these parameters.

Impact Analysis

The vulnerability can lead to economic loss due to unauthorized discounts and unfair manipulation of vote counts. Attackers can purchase votes at reduced costs and influence other users' purchases, potentially undermining the integrity of the voting system and causing financial damage.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-60784. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart