Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    8 vulnerabilities found for REST API TO MiniProgram by xjb

    CVE-2026-3460 (GCVE-0-2026-3460)

    Vulnerability from nvd – Published: 2026-03-21 03:26 – Updated: 2026-04-08 17:00
    VLAI
    Title
    REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter
    Summary
    The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 5.1.2 (semver)
    Create a notification for this product.
    Credits
    Ronnachai Sretawat Na Ayutaya Ronnachai Chaipha
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-23T16:35:42.947661Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-23T16:35:53.361Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ronnachai Sretawat Na Ayutaya"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Ronnachai Chaipha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied \u0027openid\u0027 parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled \u0027userid\u0027 parameter to determine which user\u0027s metadata gets modified, with no verification that the \u0027openid\u0027 and \u0027userid\u0027 belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users\u0027 store-related metadata (storeinfo, storeappid, storename) via the \u0027userid\u0027 REST API parameter."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:31.798Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-20T15:10:12.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "REST API TO MiniProgram \u003c= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via \u0027userid\u0027 REST API Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3460",
        "datePublished": "2026-03-21T03:26:50.589Z",
        "dateReserved": "2026-03-02T21:32:15.597Z",
        "dateUpdated": "2026-04-08T17:00:31.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-28886 (GCVE-0-2025-28886)

    Vulnerability from nvd – Published: 2025-03-11 21:00 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress REST API TO MiniProgram plugin <= 5.1.2 - Cross Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram rest-api-to-miniprogram allows Cross Site Request Forgery.This issue affects REST API TO MiniProgram: from n/a through <= 5.1.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 5.1.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:35
    Credits
    Skalucy | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-28886",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-12T13:45:10.751227Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-12T13:51:36.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "rest-api-to-miniprogram",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Skalucy | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:35:52.584Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram rest-api-to-miniprogram allows Cross Site Request Forgery.\u003cp\u003eThis issue affects REST API TO MiniProgram: from n/a through \u003c= 5.1.2.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram rest-api-to-miniprogram allows Cross Site Request Forgery.This issue affects REST API TO MiniProgram: from n/a through \u003c= 5.1.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:49.960Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/rest-api-to-miniprogram/vulnerability/wordpress-rest-api-to-miniprogram-plugin-4-7-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress REST API TO MiniProgram plugin \u003c= 5.1.2 - Cross Site Request Forgery (CSRF) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-28886",
        "datePublished": "2025-03-11T21:00:46.038Z",
        "dateReserved": "2025-03-11T08:09:09.175Z",
        "dateUpdated": "2026-04-28T16:11:49.960Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8485 (GCVE-0-2024-8485)

    Vulnerability from nvd – Published: 2024-09-25 02:05 – Updated: 2026-04-08 17:17
    VLAI
    Title
    REST API TO MiniProgram <= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
    Summary
    The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 4.7.1 (semver)
    Create a notification for this product.
    jianbo rest-api-to-miniprogram Affected: 0 , ≤ 4.7.1 (custom)
        cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "rest-api-to-miniprogram",
                "vendor": "jianbo",
                "versions": [
                  {
                    "lessThanOrEqual": "4.7.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8485",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T13:24:19.158511Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T13:24:46.812Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the \u0027openid\u0027 user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user\u0027s accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user\u0027s account, including administrators."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:08.643Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.6/includes/api/ram-rest-weixin-controller.php#L264"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-24T12:22:54.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8485",
        "datePublished": "2024-09-25T02:05:21.738Z",
        "dateReserved": "2024-09-05T16:14:56.147Z",
        "dateUpdated": "2026-04-08T17:17:08.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8484 (GCVE-0-2024-8484)

    Vulnerability from nvd – Published: 2024-09-25 02:05 – Updated: 2026-04-08 16:59
    VLAI
    Title
    REST API TO MiniProgram <= 4.7.1 - Unauthenticated SQL Injection
    Summary
    The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 4.7.1 (semver)
    Create a notification for this product.
    jianbo rest-api-to-miniprogram Affected: 0 , ≤ 4.7.1 (custom)
        cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "rest-api-to-miniprogram",
                "vendor": "jianbo",
                "versions": [
                  {
                    "lessThanOrEqual": "4.7.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8484",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T13:21:46.419751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T13:23:48.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:59:36.023Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e0945eb-ceec-4536-822a-fe864c21b580?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-comments-controller.php#L247"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3337740#file63"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-24T12:22:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8484",
        "datePublished": "2024-09-25T02:05:14.933Z",
        "dateReserved": "2024-09-05T16:07:22.417Z",
        "dateUpdated": "2026-04-08T16:59:36.023Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3460 (GCVE-0-2026-3460)

    Vulnerability from cvelistv5 – Published: 2026-03-21 03:26 – Updated: 2026-04-08 17:00
    VLAI
    Title
    REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter
    Summary
    The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 5.1.2 (semver)
    Create a notification for this product.
    Credits
    Ronnachai Sretawat Na Ayutaya Ronnachai Chaipha
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3460",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-23T16:35:42.947661Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-23T16:35:53.361Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ronnachai Sretawat Na Ayutaya"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Ronnachai Chaipha"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied \u0027openid\u0027 parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled \u0027userid\u0027 parameter to determine which user\u0027s metadata gets modified, with no verification that the \u0027openid\u0027 and \u0027userid\u0027 belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users\u0027 store-related metadata (storeinfo, storeappid, storename) via the \u0027userid\u0027 REST API parameter."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:00:31.798Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-20T15:10:12.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "REST API TO MiniProgram \u003c= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via \u0027userid\u0027 REST API Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3460",
        "datePublished": "2026-03-21T03:26:50.589Z",
        "dateReserved": "2026-03-02T21:32:15.597Z",
        "dateUpdated": "2026-04-08T17:00:31.798Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-28886 (GCVE-0-2025-28886)

    Vulnerability from cvelistv5 – Published: 2025-03-11 21:00 – Updated: 2026-04-28 16:11
    VLAI
    Title
    WordPress REST API TO MiniProgram plugin <= 5.1.2 - Cross Site Request Forgery (CSRF) vulnerability
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram rest-api-to-miniprogram allows Cross Site Request Forgery.This issue affects REST API TO MiniProgram: from n/a through <= 5.1.2.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 5.1.2 (custom)
    Create a notification for this product.
    Date Public
    2026-04-01 16:35
    Credits
    Skalucy | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-28886",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-12T13:45:10.751227Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-12T13:51:36.103Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "rest-api-to-miniprogram",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "5.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Skalucy | Patchstack Bug Bounty Program"
            }
          ],
          "datePublic": "2026-04-01T16:35:52.584Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram rest-api-to-miniprogram allows Cross Site Request Forgery.\u003cp\u003eThis issue affects REST API TO MiniProgram: from n/a through \u003c= 5.1.2.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in xjb REST API TO MiniProgram rest-api-to-miniprogram allows Cross Site Request Forgery.This issue affects REST API TO MiniProgram: from n/a through \u003c= 5.1.2."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-62",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "Cross Site Request Forgery"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:11:49.960Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/Wordpress/Plugin/rest-api-to-miniprogram/vulnerability/wordpress-rest-api-to-miniprogram-plugin-4-7-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "title": "WordPress REST API TO MiniProgram plugin \u003c= 5.1.2 - Cross Site Request Forgery (CSRF) vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2025-28886",
        "datePublished": "2025-03-11T21:00:46.038Z",
        "dateReserved": "2025-03-11T08:09:09.175Z",
        "dateUpdated": "2026-04-28T16:11:49.960Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8485 (GCVE-0-2024-8485)

    Vulnerability from cvelistv5 – Published: 2024-09-25 02:05 – Updated: 2026-04-08 17:17
    VLAI
    Title
    REST API TO MiniProgram <= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
    Summary
    The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 4.7.1 (semver)
    Create a notification for this product.
    jianbo rest-api-to-miniprogram Affected: 0 , ≤ 4.7.1 (custom)
        cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "rest-api-to-miniprogram",
                "vendor": "jianbo",
                "versions": [
                  {
                    "lessThanOrEqual": "4.7.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8485",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T13:24:19.158511Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T13:24:46.812Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the \u0027openid\u0027 user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user\u0027s accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user\u0027s account, including administrators."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:17:08.643Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.6/includes/api/ram-rest-weixin-controller.php#L264"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-24T12:22:54.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8485",
        "datePublished": "2024-09-25T02:05:21.738Z",
        "dateReserved": "2024-09-05T16:14:56.147Z",
        "dateUpdated": "2026-04-08T17:17:08.643Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8484 (GCVE-0-2024-8484)

    Vulnerability from cvelistv5 – Published: 2024-09-25 02:05 – Updated: 2026-04-08 16:59
    VLAI
    Title
    REST API TO MiniProgram <= 4.7.1 - Unauthenticated SQL Injection
    Summary
    The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    xjb REST API TO MiniProgram Affected: 0 , ≤ 4.7.1 (semver)
    Create a notification for this product.
    jianbo rest-api-to-miniprogram Affected: 0 , ≤ 4.7.1 (custom)
        cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "rest-api-to-miniprogram",
                "vendor": "jianbo",
                "versions": [
                  {
                    "lessThanOrEqual": "4.7.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8484",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T13:21:46.419751Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T13:23:48.726Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "REST API TO MiniProgram",
              "vendor": "xjb",
              "versions": [
                {
                  "lessThanOrEqual": "4.7.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:59:36.023Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e0945eb-ceec-4536-822a-fe864c21b580?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-comments-controller.php#L247"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3337740#file63"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-24T12:22:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated SQL Injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8484",
        "datePublished": "2024-09-25T02:05:14.933Z",
        "dateReserved": "2024-09-05T16:07:22.417Z",
        "dateUpdated": "2026-04-08T16:59:36.023Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }