CVE-2026-8738

Vulnerability

A business logic flaw exists in the PublicCMS trade payment flow in version 5.202506.d. The TradeOrderController.pay() method accepts orderId and accountType without verifying authentication or order ownership. It creates an internal balance payment record for the specified order, redirecting to TradePaymentController.pay(), which also lacks authentication checks. The AccountGatewayComponent.pay() then deducts funds from the victim's internal account. Affected files include publiccms-trade/src/main/java/com/publiccms/controller/web/trade/TradeOrderController.java and related payment logic [1].

Exploitation

An unauthenticated attacker can send a request to /tradeOrder/pay with a victim's orderId and accountType=account. The application proceeds without requiring authentication, creating a payment record for the victim's order. The request is redirected to /tradePayment/pay, which again does not verify the requester's identity, directly invoking the account gateway to deduct funds from the victim's internal balance. No session, token, or CSRF credentials are needed [1].

Impact

Successful exploitation forces a victim's pending order to be paid using their internal account balance, resulting in unauthorized financial loss for the victim. The attacker gains the ability to trigger payment without holding a valid session or ownership of the order [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released. As a workaround, implement authentication and authorization checks on the affected endpoints to ensure the requester is the order owner. Alternatively, disable the /tradeOrder/pay and /tradePayment/pay endpoints if not required [1].