CVE-2024-8485

Name of the Vulnerable Software and Affected Versions: REST API TO MiniProgram plugin for WordPress versions up to, and including, 4.7.1

Description: The issue allows for privilege escalation via account takeover due to missing validation on the openid user-controlled key in the updateUserInfo() function. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can then be leveraged to reset the password of the user's account, including administrators.

Recommendations: For versions up to, and including, 4.7.1, consider disabling the updateUserInfo() function until a patch is available to prevent exploitation. Restrict access to the REST API to minimize the risk of account takeover. Avoid using the openid key in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.