CVE-2026-3460 is an insecure direct object reference (IDOR) vulnerability in the xjb REST API TO MiniProgram WordPress plugin, present in all versions up to and including 5.1.2. The root cause is improper input validation (CWE-20) in the REST API endpoint responsible for updating user store metadata. The permission callback function (update_user_wechatshop_info_permissions_check) only verifies that the provided 'openid' parameter corresponds to an existing WordPress user, but the actual update function (update_user_wechatshop_info) uses a separate 'userid' parameter to identify which user's metadata to modify. Critically, there is no verification that the 'openid' and 'userid' belong to the same user, allowing an authenticated attacker with at least Subscriber-level privileges to supply a valid 'openid' but a different 'userid' to modify another user's store-related metadata fields such as storeinfo, storeappid, and storename. This flaw allows unauthorized modification of user metadata, undermining data integrity. The vulnerability is remotely exploitable over the network without user interaction and does not require elevated privileges beyond Subscriber. The CVSS 3.1 base score is 5.3 (medium), reflecting the limited impact on confidentiality and availability but moderate impact on integrity. No patches or exploits are currently reported, but the vulnerability poses a risk to WordPress sites using this plugin, especially those integrating with MiniProgram services. The issue highlights the importance of consistent and correlated input validation in REST API design, especially when multiple parameters control access and modification rights.

The primary impact of CVE-2026-3460 is unauthorized modification of user-specific store metadata within affected WordPress sites using the xjb REST API TO MiniProgram plugin. Attackers with Subscriber-level access can alter storeinfo, storeappid, and storename fields of arbitrary users, potentially leading to misinformation, fraud, or disruption of store operations tied to MiniProgram integrations. While confidentiality and availability are not directly affected, the integrity compromise can undermine trust in the platform and cause business logic errors or financial discrepancies. Organizations relying on this plugin for e-commerce or MiniProgram storefronts may face reputational damage, customer dissatisfaction, or operational issues. The vulnerability is exploitable remotely without user interaction, increasing risk. However, exploitation requires authenticated access, limiting exposure to internal or registered users. The lack of known exploits in the wild suggests limited current active threat but does not preclude future attacks. Overall, the impact is moderate but significant for organizations with MiniProgram integrations and multi-user WordPress environments.

To mitigate CVE-2026-3460, organizations should: 1) Immediately update the xjb REST API TO MiniProgram plugin to a patched version once available, or apply vendor-provided fixes that enforce verification that 'openid' and 'userid' parameters correspond to the same user before allowing metadata updates. 2) Implement additional server-side validation to cross-check user identity parameters consistently across permission checks and update functions. 3) Restrict REST API access to trusted roles and monitor API usage logs for suspicious parameter tampering or unauthorized metadata modifications. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block anomalous REST API requests attempting to modify other users' data. 5) Conduct regular security audits and penetration testing focusing on REST API endpoints and input validation logic. 6) Educate users and administrators about the risks of privilege escalation via API misuse and enforce least privilege principles. 7) Consider disabling or limiting the plugin functionality if MiniProgram integration is not critical until a fix is applied. These steps go beyond generic advice by focusing on correlating user identity parameters, monitoring API behavior, and enforcing strict access controls.