SeaCMS Incorrect Access Control Vulnerability Allowing Unlimited Member Recharges

A vulnerability in SeaCMS version 13.1 has been identified, allowing incorrect access control that can be exploited to enable any user to recharge membership for an indefinite period. This logic flaw could lead to unauthorized benefits or privileges within the application.

Impact

Exploitation of this vulnerability could result in unauthorized users gaining extended membership privileges, potentially allowing access to premium features or content.

Reproduction

To reproduce this vulnerability, log into the SeaCMS application and navigate to the member recharge section. Select a recharge option and initiate the process. Once the recharge is confirmed, manually change the 'gid' parameter to '1' in the request. The system will incorrectly validate this as a successful recharge, allowing the user to accumulate additional membership time. This process can be repeated indefinitely, effectively exploiting the access control flaw.