2 matches found
CVE-2024-8484
CVE-2024-8484 concerns the WordPress REST API TO MiniProgram plugin. The vulnerability is a SQL Injection in the /wp-json/watch-life-net/v1/comment/getcomments endpoint, exploitable via the attacker-controlled order parameter. It affects all versions up to and including 4.7.1 and is described as ...
CVE-2024-8485
The REST API TO MiniProgram plugin for WordPress is vulnerable to unauthenticated privilege escalation up to version 4.7.1. The flaw is in updateUserInfo(), caused by missing validation of the openid user-controlled key, allowing an attacker to update arbitrary user accounts (e.g., changing email...