CVE-2026-3460

Name of the Vulnerable Software and Affected Versions REST API TO MiniProgram plugin for WordPress versions through 5.1.2

Description The REST API TO MiniProgram plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. The issue stems from insufficient validation within the permission callback (update user wechatshop info permissions check), which only confirms the existence of a WordPress user corresponding to the supplied openid parameter. However, the update user wechatshop info function utilizes a separate userid parameter, controlled by the attacker, to modify user metadata without verifying if the openid and userid relate to the same user. This allows authenticated attackers with Subscriber-level access or higher to alter store-related metadata (storeinfo, storeappid, storename) of arbitrary users through the userid parameter in the REST API. The vulnerable API endpoint is not explicitly mentioned. The vulnerable parameters are openid and userid.

Recommendations Versions prior to and including 5.1.2 should be updated.