Privilege Escalation Vulnerability Affects WordPress Users
CVE-2024-8485
9.8CRITICAL
What is CVE-2024-8485?
The REST API TO MiniProgram plugin for WordPress exposes users to significant security risks due to a vulnerability that enables privilege escalation. This issue arises from inadequate validation of the 'openid' user-controlled key in the updateUserInfo() function, affecting all versions up to and including 4.7.1. As a consequence, unauthenticated attackers can manipulate the plugin to alter user accounts indiscriminately. This includes the potential to change email addresses to those ending in @weixin.com, which can subsequently facilitate password resets, compromising both regular and administrative accounts. The vulnerability raises awareness about the critical need for robust input validation and access controls in plugin development.