Recently, our team found a vulnerability causing the free payment of orders in the latest version of the project.
The vulnerability logic is present in the file:
https://gitee.com/old-peanut/wechat_applet__open_source/blob/new/platform-api/src/main/java/com/platform/api/ApiOrderController.java#L133

The API endpoint /api/order/updateSuccess is protected by AuthorizationInterceptor (located at: https://gitee.com/old-peanut/wechat_applet__open_source/blob/new/platform-api/src/main/java/com/platform/interceptor/AuthorizationInterceptor.java) which only checks the login status of the user.
However, there is no verification of the user's privilege level when updating the order status via orderService.update(). Consequently, any logged-in user can access this API and change the payment status of unpaid orders (identified by orderId) to achieve free payment.

To address this vulnerability, we recommend that developers implement access control policies to restrict the modification of order status to privileged users only.