Description
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.
Published: 2026-03-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification of Store Metadata
Action: Apply Patch
AI Analysis

Impact

The REST API TO MiniProgram plugin for WordPress contains an Insecure Direct Object Reference flaw. The permission check verifies only that the supplied ‘openid’ belongs to an existing user, but the subsequent update routine uses an independent, attacker‑controlled ‘userid’ parameter to identify which user's metadata will be altered. Consequently, an authenticated attacker with Subscriber level access or higher can change the store‑related metadata (storeinfo, storeappid, storename) of any user on the site. This constitutes an integrity violation that could mislead customers or partners who rely on accurate store information.

Affected Systems

This vulnerability affects all releases of the xjb REST API TO MiniProgram plugin up to and including version 5.1.2. Any WordPress installation deploying the plugin within that version range is susceptible. Versions 5.1.3 and later have removed the problematic separation of validation logic.

Risk and Exploitability

The CVSS v3.1 score of 5.3 classifies the issue as moderate. Exploitation requires only that the attacker be a registered WordPress user with the Subscriber role or higher, which is commonly available on many sites. The attack vector is authenticated, with no remote code execution gain; the main risk is unauthorized alteration of user data. The vulnerability is not listed in CISA’s KEV catalog, and no EPSS score is available, so the precise likelihood of exploitation cannot be quantified. Nonetheless, the potential for silent data tampering warrants prompt remediation.

Generated by OpenCVE AI on March 21, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the REST API TO MiniProgram plugin to version 5.1.3 or later
  • Remove any older plugin files that may still reside on the site

Generated by OpenCVE AI on March 21, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xjb
Xjb rest Api To Miniprogram
Vendors & Products Wordpress
Wordpress wordpress
Xjb
Xjb rest Api To Miniprogram

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.
Title REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Xjb Rest Api To Miniprogram
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:00:31.798Z

Reserved: 2026-03-02T21:32:15.597Z

Link: CVE-2026-3460

cve-icon Vulnrichment

Updated: 2026-03-23T16:35:48.867Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:17:23.620

Modified: 2026-04-24T16:27:44.277

Link: CVE-2026-3460

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:03Z

Weaknesses