CVE-2024-8485: 
WordPress vulnerability analysis and mitigation

The REST API TO MiniProgram plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-8485) that affects all versions up to and including 4.7.1. The vulnerability was discovered in the updateUserInfo() function due to missing validation on the 'openid' user-controlled key that determines which user will be updated (NVD).

The vulnerability stems from insufficient validation in the updateUserInfo() function where the 'openid' parameter can be manipulated. This security flaw has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to update arbitrary user accounts, including their email addresses to a @weixin.com email. This capability can be leveraged to reset the password of any user's account, including administrator accounts, effectively enabling complete account takeover (NVD).

Users should immediately update to a version newer than 4.7.1 if available. If an update is not possible, it is recommended to disable the plugin until a patch can be applied (NVD).