Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-3460

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-21 Mar, 2026 | 03:26
Updated At-08 Apr, 2026 | 17:00
Rejected At-
Credits

REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:21 Mar, 2026 | 03:26
Updated At:08 Apr, 2026 | 17:00
Rejected At:
▼CVE Numbering Authority (CNA)
REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.

Affected Products
Vendor
xjb
Product
REST API TO MiniProgram
Default Status
unaffected
Versions
Affected
  • From 0 through 5.1.2 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-20CWE-20 Improper Input Validation
Type: CWE
CWE ID: CWE-20
Description: CWE-20 Improper Input Validation
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Ronnachai Sretawat Na Ayutaya
finder
Ronnachai Chaipha
Timeline
EventDate
Disclosed2026-03-20 15:10:12
Event: Disclosed
Date: 2026-03-20 15:10:12
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:21 Mar, 2026 | 04:17
Updated At:23 Mar, 2026 | 14:32

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappid, storename) via the 'userid' REST API parameter.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-20Primarysecurity@wordfence.com
CWE ID: CWE-20
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L216
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L309
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/5.1.2/includes/api/ram-rest-weixin-controller.php#L924
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L216
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L309
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/trunk/includes/api/ram-rest-weixin-controller.php#L924
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/7129d8cf-6b7d-4b7b-bd6a-85176247ab29?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

108Records found
CVE-2024-25997
Matching Score-4
Assigner-CERT@VDE
ShareView Details
Matching Score-4
Assigner-CERT@VDE
CVSS Score-5.3||MEDIUM
EPSS-0.14% / 34.92%
||
7 Day CHG~0.00%
Published-12 Mar, 2024 | 08:11
Updated-23 Jan, 2025 | 18:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PHOENIX CONTACT: Log injection in CHARX Series

An unauthenticated remote attacker can perform a log injection due to improper input validation. Only a certain log file is affected.

Action-Not Available
Vendor-Phoenix Contact GmbH & Co. KG
Product-charx_sec-3150_firmwarecharx_sec-3050charx_sec-3000_firmwarecharx_sec-3100_firmwarecharx_sec-3100charx_sec-3000charx_sec-3150charx_sec-3050_firmwareCHARX SEC-3050CHARX SEC-3000CHARX SEC-3150CHARX SEC-3100charx_sec_3150charx_sec_3050charx_sec_3100charx_sec_3000
CWE ID-CWE-20
Improper Input Validation
CVE-2024-24941
Matching Score-4
Assigner-JetBrains s.r.o.
ShareView Details
Matching Score-4
Assigner-JetBrains s.r.o.
CVSS Score-6.1||MEDIUM
EPSS-0.00% / 0.20%
||
7 Day CHG~0.00%
Published-06 Feb, 2024 | 09:21
Updated-01 Aug, 2024 | 23:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL

Action-Not Available
Vendor-JetBrains s.r.o.
Product-intellij_ideaIntelliJ IDEA
CWE ID-CWE-20
Improper Input Validation
CVE-2024-21507
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-6.5||MEDIUM
EPSS-0.32% / 55.29%
||
7 Day CHG~0.00%
Published-10 Apr, 2024 | 05:00
Updated-17 Jun, 2025 | 18:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package mysql2 before 3.9.3 are vulnerable to Improper Input Validation through the keyFromFields function, resulting in cache poisoning. An attacker can inject a colon (:) character within a value of the attacker-crafted key.

Action-Not Available
Vendor-sidoraresn/amysqljs
Product-mysql2mysql2mysql2
CWE ID-CWE-20
Improper Input Validation
CVE-2024-13666
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 44.62%
||
7 Day CHG~0.00%
Published-22 Mar, 2025 | 08:24
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder <= 5.2.12 - IP-Spoofing

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to IP Address Spoofing in all versions up to, and including, 5.2.12 due to insufficient IP address validation and use of user-supplied HTTP headers as a primary method for IP retrieval. This makes it possible for unauthenticated attackers spoof their IP address and submit forms that may have IP-based restrictions.

Action-Not Available
Vendor-techjewel
Product-Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder
CWE ID-CWE-20
Improper Input Validation
CVE-2020-10240
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 8.37%
||
7 Day CHG~0.00%
Published-16 Mar, 2020 | 15:46
Updated-04 Aug, 2024 | 10:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in Joomla! before 3.9.16. Missing length checks in the user table can lead to the creation of users with duplicate usernames and/or email addresses.

Action-Not Available
Vendor-n/aJoomla!
Product-joomla\!n/a
CWE ID-CWE-20
Improper Input Validation
CVE-2023-49081
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.2||HIGH
EPSS-0.46% / 63.95%
||
7 Day CHG~0.00%
Published-30 Nov, 2023 | 06:56
Updated-04 Nov, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aiohttp's ClientSession is vulnerable to CRLF injection via version

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the attacker can control the HTTP version of the request. This issue has been patched in version 3.9.0.

Action-Not Available
Vendor-aiohttpaio-libs
Product-aiohttpaiohttp
CWE ID-CWE-20
Improper Input Validation
CVE-2023-49082
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.22% / 44.79%
||
7 Day CHG~0.00%
Published-29 Nov, 2023 | 20:07
Updated-04 Nov, 2025 | 19:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
aiohttp's ClientSession is vulnerable to CRLF injection via method

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even create a new HTTP request if the attacker controls the HTTP method. The vulnerability occurs only if the attacker can control the HTTP method (GET, POST etc.) of the request. If the attacker can control the HTTP version of the request it will be able to modify the request (request smuggling). This issue has been patched in version 3.9.0.

Action-Not Available
Vendor-aiohttpaio-libs
Product-aiohttpaiohttp
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CVE-2023-20232
Matching Score-4
Assigner-Cisco Systems, Inc.
ShareView Details
Matching Score-4
Assigner-Cisco Systems, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.11% / 29.57%
||
7 Day CHG~0.00%
Published-16 Aug, 2023 | 21:39
Updated-02 Aug, 2024 | 09:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in the Tomcat implementation for Cisco Unified Contact Center Express (Unified CCX) could allow an unauthenticated, remote attacker to cause a web cache poisoning attack on an affected device. This vulnerability is due to improper input validation of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a specific API endpoint on the Unified CCX Finesse Portal. A successful exploit could allow the attacker to cause the internal WebProxy to redirect users to an attacker-controlled host.

Action-Not Available
Vendor-Cisco Systems, Inc.
Product-unified_contact_center_expressCisco Unified Contact Center Express
CWE ID-CWE-20
Improper Input Validation
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found