{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3460", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-02T21:32:15.597Z", "datePublished": "2026-03-21T03:26:50.589Z", "dateUpdated": "2026-04-08T17:00:31.798Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:31.798Z"}, "affected": [{"vendor": "xjb", "product": "REST API TO MiniProgram", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter."}], "title": "REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ronnachai Sretawat Na Ayutaya"}, {"lang": "en", "type": "finder", "value": "Ronnachai Chaipha"}], "timeline": [{"time": "2026-03-20T15:10:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:35:42.947661Z", "id": "CVE-2026-3460", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:35:53.361Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3460", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:35:42.947661Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:35:48.867Z"}}], "cna": {"title": "REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Ronnachai Sretawat Na Ayutaya"}, {"lang": "en", "type": "finder", "value": "Ronnachai Chaipha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "xjb", "product": "REST API TO MiniProgram", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:10:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924"}, {"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924"}], "descriptions": [{"lang": "en", "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:50.589Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3460", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:35:53.361Z", "dateReserved": "2026-03-02T21:32:15.597Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:50.589Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter."}, {"lang": "es", "value": "El plugin REST API TO MiniProgram para WordPress es vulnerable a la Referencia Directa Insegura a Objetos en todas las versiones hasta la 5.1.2, inclusive. Esto se debe a que la funci\u00f3n de devoluci\u00f3n de llamada de permisos (update_user_wechatshop_info_permissions_check) solo valida que el par\u00e1metro 'openid' proporcionado corresponde a un usuario de WordPress existente, mientras que la funci\u00f3n de devoluci\u00f3n de llamada (update_user_wechatshop_info) utiliza un par\u00e1metro 'userid' separado y controlado por el atacante para determinar qu\u00e9 metadatos de usuario se modifican, sin verificar que 'openid' y 'userid' pertenezcan al mismo usuario. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, modifiquen metadatos relacionados con la tienda de usuarios arbitrarios (storeinfo, storeappid, storename) a trav\u00e9s del par\u00e1metro 'userid' de la API REST."}], "id": "CVE-2026-3460", "lastModified": "2026-04-24T16:27:44.277", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:17:23.620", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "rest_api_to_miniprogram", "vendor": "xjb"}], "analysis": {"en": {"generated_at": "2026-03-21T07:37:00.242998+00:00", "value": {"mitigation_remediation": ["Upgrade the REST API TO MiniProgram plugin to version 5.1.3 or later", "Remove any older plugin files that may still reside on the site"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Modification of Store Metadata"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all releases of the xjb REST API TO MiniProgram plugin up to and including version 5.1.2. Any WordPress installation deploying the plugin within that version range is susceptible. Versions 5.1.3 and later have removed the problematic separation of validation logic.", "description_and_impact": "The REST API TO MiniProgram plugin for WordPress contains an Insecure Direct Object Reference flaw. The permission check verifies only that the supplied \u2018openid\u2019 belongs to an existing user, but the subsequent update routine uses an independent, attacker\u2011controlled \u2018userid\u2019 parameter to identify which user's metadata will be altered. Consequently, an authenticated attacker with Subscriber level access or higher can change the store\u2011related metadata (storeinfo, storeappid, storename) of any user on the site. This constitutes an integrity violation that could mislead customers or partners who rely on accurate store information.", "risk_and_exploitability": "The CVSS\u202fv3.1 score of 5.3 classifies the issue as moderate. Exploitation requires only that the attacker be a registered WordPress user with the Subscriber role or higher, which is commonly available on many sites. The attack vector is authenticated, with no remote code execution gain; the main risk is unauthorized alteration of user data. The vulnerability is not listed in CISA\u2019s KEV catalog, and no EPSS score is available, so the precise likelihood of exploitation cannot be quantified. Nonetheless, the potential for silent data tampering warrants prompt remediation."}}}}, "created": "2026-03-23T09:50:30.898370+00:00", "updated": "2026-03-25T14:42:03.827684+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "xjb", "xjb$PRODUCT$rest_api_to_miniprogram"]}