Description
The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.
Published: 2026-05-02
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the My Social Feeds WordPress plugin allows authorized users with Subscriber-level access or higher to retrieve the full contents of the 'ttp_tiktok_accounts' WordPress option. The plugin performs no capability or nonce checks when the 'ttp_get_accounts' AJAX action is invoked, exposing TikTok OAuth credentials such as access_token and refresh_token. An attacker who can obtain these credentials can impersonate the site owner when interacting with the TikTok API, compromising the confidentiality of authentication information and potentially enabling unauthorized use of the site’s TikTok integration. This weakness is classified under CWE‑522, Sensitive Information Exposure.

Affected Systems

The affected product is the My Social Feeds – Social Feeds Embedder plugin for WordPress, distributed by bplugins. All plugin versions up to and including 1.0.4 are vulnerable, as the flawed 'ttp_get_accounts' function exists in those releases.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploitation in the wild. However, the attack requires only that the user be authenticated with at least Subscriber privileges, which are commonly granted in WordPress sites. A successful exploit would involve an authenticated attacker sending the affected AJAX request to retrieve OAuth credentials, leading to potential impersonation of the site owner. Due to the absence of public exploitation evidence, the immediate risk is moderate, but the possibility of credential theft remains significant.

Generated by OpenCVE AI on May 2, 2026 at 06:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade My Social Feeds to the latest available version (any release newer than 1.0.4 where the AJAX action is protected).
  • If an upgrade is not possible, temporarily remove or disable the 'ttp_get_accounts' AJAX action by editing the plugin files or adding a custom filter to block the request.
  • Restrict access to the TikTok accounts feature by ensuring only Administrator users can view or interact with the 'ttp_get_accounts' action, and remove Subscriber or lower-level capabilities from any roles that should not access TikTok credentials.

Generated by OpenCVE AI on May 2, 2026 at 06:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 05:15:00 +0000

Type Values Removed Values Added
Description The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.
Title My Social Feeds <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'ttp_get_accounts' AJAX Action
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-02T04:27:46.053Z

Reserved: 2026-04-16T18:29:52.438Z

Link: CVE-2026-6446

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T05:16:01.093

Modified: 2026-05-02T05:16:01.093

Link: CVE-2026-6446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T07:00:06Z

Weaknesses