Attack Vectors

CVE-2026-3460 affects the WordPress plugin REST API TO MiniProgram (slug: rest-api-to-miniprogram) in versions up to and including 5.1.2. The issue involves a REST API request that accepts user-related parameters, including openid and userid.

An attacker can attempt to send crafted requests to the plugin’s REST API endpoint(s) and manipulate the userid parameter to target a different user than intended. The advisory describes this as an Authenticated (Subscriber+) issue, while the published CVSS vector shows PR:N; in practical terms, exposure depends on how the endpoint is reachable on your site and how user accounts are provisioned.

From a business-risk perspective, any environment where many low-privilege accounts exist (e.g., membership sites, e-commerce customers, campaign landing sites with registrations, or partner portals) increases the opportunity for abuse.

Security Weakness

This is an Insecure Direct Object Reference (IDOR) vulnerability, rated Medium severity (CVSS 5.3, vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

According to Wordfence’s analysis, the permission check function update_user_wechatshop_info_permissions_check validates only that the supplied openid corresponds to an existing WordPress user. However, the update function update_user_wechatshop_info uses a separate, attacker-controlled userid value to decide which user’s metadata is modified, without verifying that the provided openid and userid belong to the same user.

This mismatch creates a pathway for an attacker to update metadata for other users by referencing their user ID, rather than being restricted to their own account.

Technical or Business Impacts

The primary impact described is unauthorized modification of user metadata (integrity impact). Even when the “data changed” seems minor, user metadata is often used by themes, plugins, and custom integrations to control user experiences, pricing, access levels, identity mapping, loyalty status, or downstream syncing.

For marketing and revenue teams, the business risks can include: corrupted customer profiles, misattributed orders or user identities in connected systems, disrupted personalization, and avoidable support costs from account-related disputes.

For executives and compliance stakeholders, an IDOR in a customer-facing API can also increase audit and incident-response burden, especially if user records are altered in ways that affect consent tracking, account ownership, or the integrity of records used for reporting.

Remediation note: Wordfence reports no known patch available at this time. Based on your organization’s risk tolerance, you may need to uninstall REST API TO MiniProgram and replace it with an alternative. If immediate removal is not feasible, consider temporary mitigations such as minimizing who can register/log in, reducing low-privilege accounts, limiting exposure of the affected REST routes (where operationally possible), and increasing monitoring for suspicious user-meta changes.

References: CVE-2026-3460 record and Wordfence vulnerability entry.

Similar Attacks

IDOR issues are a common cause of API-driven account and profile manipulation, especially where object identifiers (like user IDs) can be changed client-side without strong ownership checks. The following real-world incidents and write-ups illustrate how widespread and damaging IDOR-style problems can be:

Panera Bread leaks customer data (KrebsOnSecurity, 2018) — a widely cited example of risks that arise when web APIs expose or allow access to records through predictable identifiers and insufficient authorization controls.

OWASP: IDOR Prevention Cheat Sheet — industry guidance that documents how IDOR vulnerabilities commonly appear in applications and what controls are typically used to prevent them.