CVE-2026-3460 (GCVE-0-2026-3460)
Vulnerability from cvelistv5
Published
2026-03-21 03:26
Modified
2026-04-08 17:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xjb | REST API TO MiniProgram |
Version: 0 ≤ 5.1.2 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3460",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T16:35:42.947661Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T16:35:53.361Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "REST API TO MiniProgram",
"vendor": "xjb",
"versions": [
{
"lessThanOrEqual": "5.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Sretawat Na Ayutaya"
},
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Chaipha"
}
],
"descriptions": [
{
"lang": "en",
"value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied \u0027openid\u0027 parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled \u0027userid\u0027 parameter to determine which user\u0027s metadata gets modified, with no verification that the \u0027openid\u0027 and \u0027userid\u0027 belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users\u0027 store-related metadata (storeinfo, storeappid, storename) via the \u0027userid\u0027 REST API parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:00:31.798Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-20T15:10:12.000Z",
"value": "Disclosed"
}
],
"title": "REST API TO MiniProgram \u003c= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via \u0027userid\u0027 REST API Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3460",
"datePublished": "2026-03-21T03:26:50.589Z",
"dateReserved": "2026-03-02T21:32:15.597Z",
"dateUpdated": "2026-04-08T17:00:31.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-3460\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-23T16:35:42.947661Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-23T16:35:48.867Z\"}}], \"cna\": {\"title\": \"REST API TO MiniProgram \u003c= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via \u0027userid\u0027 REST API Parameter\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ronnachai Sretawat Na Ayutaya\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Ronnachai Chaipha\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"xjb\", \"product\": \"REST API TO MiniProgram\", \"versions\": [{\"status\": \"affected\", \"version\": \"*\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.1.2\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-20T15:10:12.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied \u0027openid\u0027 parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled \u0027userid\u0027 parameter to determine which user\u0027s metadata gets modified, with no verification that the \u0027openid\u0027 and \u0027userid\u0027 belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users\u0027 store-related metadata (storeinfo, storeappid, storename) via the \u0027userid\u0027 REST API parameter.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-20\", \"description\": \"CWE-20 Improper Input Validation\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-03-21T03:26:50.589Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-3460\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-23T16:35:53.361Z\", \"dateReserved\": \"2026-03-02T21:32:15.597Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-03-21T03:26:50.589Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…