WordPress REST API TO MiniProgram plugin allows attackers to modify user data

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

WordPress REST API TO MiniProgram plugin allows attackers to modify user data

CVE-2026-3460

Summary

The REST API TO MiniProgram plugin for WordPress is vulnerable to an attack where an authenticated user, with a Subscriber-level account or higher, can modify arbitrary user data, such as store names and app IDs. This is a concern for users who rely on the plugin for managing user information. To protect against this, update to version 5.1.3 or later of the REST API TO MiniProgram plugin.

Original title

Original description

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.

nvd CVSS3.1 5.3

Vulnerability type

CWE-20 Improper Input Validation

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026