The bPlugins Tiktok Feed plugin contains a missing authorization flaw where functionality is not properly restricted by access control lists. This lack of authentication enforcement allows an attacker to invoke privileged actions through the plugin’s exposed endpoints. The vulnerability is classified as CWE-862 and has a CVSS score of 7.1, indicating that, if exploited, it can compromise the confidentiality, integrity, and availability of the WordPress site by exposing data or enabling further attacks. Based on the description, it is inferred that the attack vector is via unauthenticated HTTP requests to the plugin’s API routes, which can be performed without knowing any user credentials. The impact is not limited to a single user; any visitor could gain elevated capabilities if the plugin’s endpoints are reachable.

WordPress installations that have the b-tiktok-feed plugin version 1.0.21 or earlier. The vulnerability applies to any site where the plugin is activated and has not been upgraded beyond the stated version. No other WordPress components are implicated by the current reporting.

The CVSS score of 7.1 signals a high level of risk, but the EPSS score being less than 1% suggests that, as of the latest assessment, the probability of exploitation is low. The vulnerability is not listed in CISA’s KEV catalog, so there is no known large‑scale exploitation campaign targeting it. Nonetheless, the flaw can be triggered by simple, automated probes to the plugin’s API, so any publicly accessible site using this plugin is a potential target. The simplest attack path involves sending crafted HTTP requests to REST endpoints exposed by bPlugins Tiktok Feed, bypassing authentication checks and executing arbitrary plugin actions.