The website Seclists.Org disclosed a vulnerability in WeChat Pay on 3 July 2018. It was found by a payment security researcher, who described that WeChat unintentionally provides an xxe vulnerability in the JAVA version SDK when merchants provide a notification URL to accept asynchronous payment results. The attacker can build malicious payload towards the notification URL to steal any information of the merchant server as he or she want. Once the attacker gets the crucial security key (md5-key and merchant-Id etc.) of the merchant , he can even buy anything without paying but by just sending forged info to deceive the merchants. For details, please see
http://seclists.org/fulldisclosure/2018/Jul/3
Solution
As stated by the researcher, WeChat can fix it by updating the SDK quite easily, however the bad news is while exposing merchants may need a relatively long time to complete countermeasures, cost and skills needed.
WeChat is handling this vulnerability. Users are recommended to keep a close watch on this issue and upgrade WeChat system once the fix is released.
WeChat blog: http://blog.wechat.com/