CVE-2025-60784 identifies a critical vulnerability in the XiaozhangBang Voluntary Like System version 8.8, specifically within its payment module located at /topfirst.php. The vulnerability arises from inadequate server-side validation of two key parameters: 'zhekou' (discount) and 'zid' (user identifier). An attacker can craft an HTTP POST request manipulating 'zhekou' to an abnormally low value, effectively purchasing votes at a significantly reduced cost, bypassing intended pricing controls. Furthermore, by altering the 'zid' parameter, the attacker can redirect these discounted purchases to other users’ accounts, amplifying the economic and reputational damage. This flaw enables unauthorized financial manipulation and vote count distortion, which could undermine the integrity of any system relying on this voting mechanism. The vulnerability does not require authentication or user interaction, making it exploitable remotely by any attacker aware of the endpoint and parameters. No official CVSS score has been assigned yet, but the vulnerability’s characteristics suggest a high severity due to its direct financial impact and potential to disrupt service fairness. No patches or known exploits are currently documented, but the risk remains significant given the ease of exploitation and the critical nature of the payment module involved.

For European organizations using the XiaozhangBang Voluntary Like System, this vulnerability could lead to substantial financial losses due to unauthorized discounted purchases. It also threatens the integrity of online voting or promotional campaigns, potentially skewing results and damaging trust among users and stakeholders. Organizations relying on accurate vote counts for decision-making or marketing could suffer reputational harm if manipulated results become public. The ability to affect other users’ purchases increases the scope of impact, potentially leading to disputes and legal liabilities. Additionally, economic losses could extend to payment processors or partners involved in the transaction chain. The remote and unauthenticated nature of the exploit increases the likelihood of widespread abuse if the vulnerability is publicly disclosed or weaponized. European entities with high dependence on such voting systems for customer engagement or internal decision-making are particularly vulnerable.

To mitigate this vulnerability, organizations should immediately implement strict server-side validation for the 'zhekou' and 'zid' parameters, ensuring that discount values fall within acceptable ranges and that user identifiers correspond only to authorized accounts. Input sanitization and parameter whitelisting should be enforced to prevent manipulation. Logging and monitoring of payment transactions should be enhanced to detect anomalous discount patterns or unusual vote purchase activity. Rate limiting and anomaly detection mechanisms can help identify and block automated exploitation attempts. If possible, update or patch the XiaozhangBang system once vendor fixes become available. In the interim, consider disabling or restricting access to the vulnerable payment endpoint for untrusted sources. Conduct thorough audits of vote counts and payment records to identify and remediate any fraudulent activity. Educate staff and users about the potential risks and encourage reporting of suspicious behavior. Finally, integrate multi-factor authentication and transaction verification steps for critical operations to reduce unauthorized manipulation risks.