{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-07-03T04:40:17.554","vulnerabilities":[{"cve":{"id":"CVE-2024-8485","sourceIdentifier":"security@wordfence.com","published":"2024-09-25T03:15:05.190","lastModified":"2026-06-17T08:22:43.377","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators."},{"lang":"es","value":"El complemento REST API TO MiniProgram para WordPress es vulnerable a la escalada de privilegios mediante la apropiación de cuentas en todas las versiones hasta la 4.7.1 incluida a través de updateUserInfo() debido a la falta de validación en la clave controlada por el usuario 'openid' que determina qué usuario será actualizado. Esto hace posible que atacantes no autenticados actualicen cuentas de usuarios arbitrarios, incluido su correo electrónico a un correo electrónico @weixin.com, que puede aprovecharse para restablecer la contraseña de la cuenta del usuario, incluidos los administradores."}],"affected":[{"source":"security@wordfence.com","affectedData":[{"vendor":"xjb","product":"REST API TO MiniProgram","defaultStatus":"unaffected","versions":[{"version":"0","lessThanOrEqual":"4.7.1","versionType":"semver","status":"affected"}]}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","affectedData":[{"vendor":"jianbo","product":"rest-api-to-miniprogram","defaultStatus":"unknown","cpes":["cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"],"versions":[{"version":"0","lessThanOrEqual":"4.7.1","versionType":"custom","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2024-09-25T13:24:19.158511Z","id":"CVE-2024-8485","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:jianbo:rest_api_to_miniprogram:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"4.7.1","matchCriteriaId":"3B85C713-4794-4A95-B021-7B8375DA22C3"}]}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264","source":"security@wordfence.com","tags":["Product"]},{"url":"https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.6/includes/api/ram-rest-weixin-controller.php#L264","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve","source":"security@wordfence.com","tags":["Third Party Advisory"]}]}}]}