CVE-2024-8485Jianbo · Rest_api_to_miniprogram
Vulnerability data via NVD (ingested)
The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2024-8485http.html:"/wp-content/plugins/rest-api-to-miniprogram/"product:"Jianbo Rest Api To Miniprogram"http.html:"Rest Api To Miniprogram"More intel sources (5)
vuln:CVE-2024-8485vulnerabilities.cve_id: CVE-2024-8485CVE-2024-8485CVE-2024-8485"CVE-2024-8485" exploit -site:nvd.nist.gov