Search criteria
6 vulnerabilities found for rest_api_to_miniprogram by jianbo
FKIE_CVE-2024-8485
Vulnerability from fkie_nvd - Published: 2024-09-25 03:15 - Updated: 2026-04-08 19:22
Severity
Summary
The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jianbo | rest_api_to_miniprogram | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jianbo:rest_api_to_miniprogram:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3B85C713-4794-4A95-B021-7B8375DA22C3",
"versionEndIncluding": "4.7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the \u0027openid\u0027 user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user\u0027s accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user\u0027s account, including administrators."
},
{
"lang": "es",
"value": "El complemento REST API TO MiniProgram para WordPress es vulnerable a la escalada de privilegios mediante la apropiaci\u00f3n de cuentas en todas las versiones hasta la 4.7.1 incluida a trav\u00e9s de updateUserInfo() debido a la falta de validaci\u00f3n en la clave controlada por el usuario \u0027openid\u0027 que determina qu\u00e9 usuario ser\u00e1 actualizado. Esto hace posible que atacantes no autenticados actualicen cuentas de usuarios arbitrarios, incluido su correo electr\u00f3nico a un correo electr\u00f3nico @weixin.com, que puede aprovecharse para restablecer la contrase\u00f1a de la cuenta del usuario, incluidos los administradores."
}
],
"id": "CVE-2024-8485",
"lastModified": "2026-04-08T19:22:25.890",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Secondary"
}
]
},
"published": "2024-09-25T03:15:05.190",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264"
},
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.6/includes/api/ram-rest-weixin-controller.php#L264"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2024-8484
Vulnerability from fkie_nvd - Published: 2024-09-25 03:15 - Updated: 2026-04-08 18:22
Severity
Summary
The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jianbo | rest_api_to_miniprogram | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jianbo:rest_api_to_miniprogram:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3B85C713-4794-4A95-B021-7B8375DA22C3",
"versionEndIncluding": "4.7.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
},
{
"lang": "es",
"value": "El complemento REST API TO MiniProgram para WordPress es vulnerable a la inyecci\u00f3n SQL a trav\u00e9s del par\u00e1metro \u0027order\u0027 del endpoint de la API REST /wp-json/watch-life-net/v1/comment/getcomments en todas las versiones hasta la 4.7.1 incluida, debido a un escape insuficiente en el par\u00e1metro proporcionado por el usuario y a la falta de preparaci\u00f3n suficiente en la consulta SQL existente. Esto hace posible que atacantes no autenticados agreguen consultas SQL adicionales a consultas ya existentes que se pueden usar para extraer informaci\u00f3n confidencial de la base de datos."
}
],
"id": "CVE-2024-8484",
"lastModified": "2026-04-08T18:22:39.387",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security@wordfence.com",
"type": "Secondary"
}
]
},
"published": "2024-09-25T03:15:04.990",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Product"
],
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-comments-controller.php#L247"
},
{
"source": "security@wordfence.com",
"url": "https://plugins.trac.wordpress.org/changeset/3337740#file63"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e0945eb-ceec-4536-822a-fe864c21b580?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2024-8485 (GCVE-0-2024-8485)
Vulnerability from nvd – Published: 2024-09-25 02:05 – Updated: 2026-04-08 17:17
VLAI
Title
REST API TO MiniProgram <= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
Summary
The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| xjb | REST API TO MiniProgram |
Affected:
0 , ≤ 4.7.1
(semver)
|
|
| jianbo | rest-api-to-miniprogram |
Affected:
0 , ≤ 4.7.1
(custom)
cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rest-api-to-miniprogram",
"vendor": "jianbo",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:24:19.158511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:24:46.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "REST API TO MiniProgram",
"vendor": "xjb",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the \u0027openid\u0027 user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user\u0027s accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user\u0027s account, including administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:17:08.643Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.6/includes/api/ram-rest-weixin-controller.php#L264"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-24T12:22:54.000Z",
"value": "Disclosed"
}
],
"title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8485",
"datePublished": "2024-09-25T02:05:21.738Z",
"dateReserved": "2024-09-05T16:14:56.147Z",
"dateUpdated": "2026-04-08T17:17:08.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8484 (GCVE-0-2024-8484)
Vulnerability from nvd – Published: 2024-09-25 02:05 – Updated: 2026-04-08 16:59
VLAI
Title
REST API TO MiniProgram <= 4.7.1 - Unauthenticated SQL Injection
Summary
The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| xjb | REST API TO MiniProgram |
Affected:
0 , ≤ 4.7.1
(semver)
|
|
| jianbo | rest-api-to-miniprogram |
Affected:
0 , ≤ 4.7.1
(custom)
cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rest-api-to-miniprogram",
"vendor": "jianbo",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:21:46.419751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:23:48.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "REST API TO MiniProgram",
"vendor": "xjb",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:36.023Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e0945eb-ceec-4536-822a-fe864c21b580?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-comments-controller.php#L247"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3337740#file63"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-24T12:22:26.000Z",
"value": "Disclosed"
}
],
"title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8484",
"datePublished": "2024-09-25T02:05:14.933Z",
"dateReserved": "2024-09-05T16:07:22.417Z",
"dateUpdated": "2026-04-08T16:59:36.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8485 (GCVE-0-2024-8485)
Vulnerability from cvelistv5 – Published: 2024-09-25 02:05 – Updated: 2026-04-08 17:17
VLAI
Title
REST API TO MiniProgram <= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover
Summary
The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the 'openid' user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user's accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user's account, including administrators.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| xjb | REST API TO MiniProgram |
Affected:
0 , ≤ 4.7.1
(semver)
|
|
| jianbo | rest-api-to-miniprogram |
Affected:
0 , ≤ 4.7.1
(custom)
cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rest-api-to-miniprogram",
"vendor": "jianbo",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:24:19.158511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:24:46.812Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "REST API TO MiniProgram",
"vendor": "xjb",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to privilege escalation via account takeovr in all versions up to, and including, 4.7.1 via the updateUserInfo() due to missing validation on the \u0027openid\u0027 user controlled key that determines what user will be updated. This makes it possible for unauthenticated attackers to update arbitrary user\u0027s accounts, including their email to a @weixin.com email, which can the be leveraged to reset the password of the user\u0027s account, including administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:17:08.643Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b53066d3-2ff3-4460-896a-facd77455914?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-weixin-controller.php#L264"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.6/includes/api/ram-rest-weixin-controller.php#L264"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-24T12:22:54.000Z",
"value": "Disclosed"
}
],
"title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated Arbitrary User Email Update and Privilege Escalation via Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8485",
"datePublished": "2024-09-25T02:05:21.738Z",
"dateReserved": "2024-09-05T16:14:56.147Z",
"dateUpdated": "2026-04-08T17:17:08.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8484 (GCVE-0-2024-8484)
Vulnerability from cvelistv5 – Published: 2024-09-25 02:05 – Updated: 2026-04-08 16:59
VLAI
Title
REST API TO MiniProgram <= 4.7.1 - Unauthenticated SQL Injection
Summary
The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| xjb | REST API TO MiniProgram |
Affected:
0 , ≤ 4.7.1
(semver)
|
|
| jianbo | rest-api-to-miniprogram |
Affected:
0 , ≤ 4.7.1
(custom)
cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:* |
Credits
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:jianbo:rest-api-to-miniprogram:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "rest-api-to-miniprogram",
"vendor": "jianbo",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-25T13:21:46.419751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-25T13:23:48.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "REST API TO MiniProgram",
"vendor": "xjb",
"versions": [
{
"lessThanOrEqual": "4.7.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The REST API TO MiniProgram plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter of the /wp-json/watch-life-net/v1/comment/getcomments REST API endpoint in all versions up to, and including, 4.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:59:36.023Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6e0945eb-ceec-4536-822a-fe864c21b580?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rest-api-to-miniprogram/tags/4.7.0/includes/api/ram-rest-comments-controller.php#L247"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3337740#file63"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-24T12:22:26.000Z",
"value": "Disclosed"
}
],
"title": "REST API TO MiniProgram \u003c= 4.7.1 - Unauthenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8484",
"datePublished": "2024-09-25T02:05:14.933Z",
"dateReserved": "2024-09-05T16:07:22.417Z",
"dateUpdated": "2026-04-08T16:59:36.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}