CVE-2026-3460: REST API TO MiniProgram Auth Bypass Flaw

CVE-2026-3460 Overview

CVE-2026-3460 is an Insecure Direct Object Reference (IDOR) vulnerability in the REST API TO MiniProgram plugin for WordPress, affecting all versions up to and including 5.1.2. The flaw resides in the update_user_wechatshop_info REST endpoint, where the permission callback validates only the supplied openid parameter while a separate, attacker-controlled userid parameter determines which account's metadata is modified. Authenticated attackers with Subscriber-level access or above can alter arbitrary users' store-related metadata, including storeinfo, storeappid, and storename. The issue is classified under [CWE-20] Improper Input Validation.

Critical Impact
Any authenticated user can tamper with store metadata belonging to other WordPress accounts, including administrators, leading to integrity loss across the e-commerce mini-program integration.

Affected Products

REST API TO MiniProgram plugin for WordPress, all versions through 5.1.2
WordPress sites running the WeChat mini-program REST integration
Deployments exposing the ram-rest-weixin-controller.php endpoints to subscribers

Discovery Timeline

2026-03-21 - CVE-2026-3460 published to NVD
2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-3460

Vulnerability Analysis

The vulnerability exists in the plugin file includes/api/ram-rest-weixin-controller.php. The permission callback update_user_wechatshop_info_permissions_check verifies that the submitted openid parameter maps to an existing WordPress user, but does not bind that identity to the target of the write operation. The callback function update_user_wechatshop_info then reads a separate userid request parameter and uses it to update user metadata. Because the two parameters are evaluated independently, an authenticated subscriber can pass their own valid openid while supplying an arbitrary userid belonging to another account.

Root Cause

The root cause is broken object-level authorization. The permission check and the action handler operate on different identifiers without cross-validation that the openid and userid resolve to the same user. This pattern is a textbook IDOR, mapped to [CWE-20] in the advisory, where input validation does not enforce a relationship between the authenticated principal and the targeted object.

Attack Vector

Exploitation requires only Subscriber-level credentials, which are obtainable on any WordPress site that permits open registration. The attacker sends an authenticated REST API request to the vulnerable endpoint, providing a valid openid tied to their own account and a userid value targeting another user. The request modifies the victim's storeinfo, storeappid, and storename user metadata. Impact is limited to integrity of store-related metadata; confidentiality and availability are not directly affected.

For source-level review, see the WordPress Plugin Code Review Line 216, Line 309, and Line 924, along with the Wordfence Vulnerability Analysis.

Detection Methods for CVE-2026-3460

Indicators of Compromise

Unexpected modifications to WordPress usermeta rows containing the keys storeinfo, storeappid, or storename for accounts the requester does not own.
Authenticated REST API requests to the update_user_wechatshop_info route where the openid and userid parameters resolve to different WordPress users.
A spike in low-privilege Subscriber accounts issuing POST or PUT requests to /wp-json/ routes exposed by the REST API TO MiniProgram plugin.

Detection Strategies

Review web server access logs for requests to the plugin's REST namespace that include both openid and userid parameters, and flag mismatches.
Enable WordPress audit logging to record changes to user metadata, focusing on the three affected meta keys.
Compare the user ID derived from the session cookie against the userid parameter at the application or web application firewall (WAF) layer.

Monitoring Recommendations

Alert on Subscriber-role accounts performing administrative-style metadata writes via the REST API.
Track creation of new Subscriber accounts followed shortly by REST calls to the vulnerable controller.
Monitor for repeated requests iterating sequential userid values, which suggests enumeration of victim accounts.

How to Mitigate CVE-2026-3460

Immediate Actions Required

Update the REST API TO MiniProgram plugin to a release later than 5.1.2 as soon as the vendor publishes a fixed version.
If a patched version is not yet available, deactivate and remove the plugin from production sites.
Audit WordPress usermeta entries for storeinfo, storeappid, and storename and revert unauthorized changes.
Restrict new user registrations or temporarily disable the Subscriber role on sites that do not require public sign-up.

Patch Information

At the time of NVD publication on 2026-03-21, all versions up to and including 5.1.2 are affected. Administrators should consult the Wordfence Vulnerability Analysis and the plugin's WordPress.org listing for the latest fixed release. A proper fix must enforce that the openid parameter and the userid parameter resolve to the same WordPress user inside the permission callback.

Workarounds

Block external access to the plugin's REST routes at the WAF, allowing only trusted backend IPs to call update_user_wechatshop_info.
Add a custom rest_request_before_callbacks filter that rejects requests where the authenticated user ID does not match the userid parameter.
Disable the affected endpoint by unregistering the route in a mu-plugin until an official patch is installed.

bash

# Example: temporarily block the vulnerable REST route via .htaccess
RewriteEngine On
RewriteRule ^wp-json/ram/v[0-9]+/update_user_wechatshop_info - [F,L]