What the vulnerability does
01Description
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.
Explanation of Vulnerability in Simple Terms
02Summary
The REST API TO MiniProgram component in versions 5.1.2 and earlier does not properly validate input, allowing an attacker to modify data without authentication. The vulnerability requires only network access and no user interaction. Integrity of data processed through the API is at risk.
What an attacker can do
03Attacker Capabilities
Modify data processed by the REST API without authentication.
Potential impact on your site
04Site Impact
Attackers can alter data in systems using this REST API component, potentially affecting application logic and data integrity.
Conditions required to exploit
05Prerequisites
Network access to the affected component; no authentication or user interaction required.
Key dates
06Disclosure timeline
March 21, 2026
CVE published
April 8, 2026
Record updated
