WordPress REST API to MiniProgram Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the REST API to MiniProgram plugin for WordPress, affecting all versions up to and including 5.1.2. The issue arises because the permission callback only checks if the 'openid' parameter belongs to an existing WordPress user. However, the callback function uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata is modified, without verifying that the 'openid' and 'userid' correspond to the same user. This flaw enables authenticated attackers with Subscriber-level access or higher to alter store-related metadata of arbitrary users via the 'userid' parameter in the REST API.

Impact

Exploitation of this vulnerability allows for unauthorized modification of users' store-related metadata, including store information, app ID, and store name.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the 'updatewechatshopinfo' endpoint of the REST API to MiniProgram plugin. The request must include a valid 'openid' parameter corresponding to a WordPress user, and a 'userid' parameter specifying the ID of another user whose metadata is to be modified. The 'storeappid', 'storename', and other related parameters can also be included to change the respective metadata for the targeted user.