216.73.216.86

CVE-2026-6446

· Published 02/05/2026 05:16 · Modified 02/05/2026 05:16

Labels: CVE-2026-6446 2026-05-02CVE-2026-6446CWE-522[email protected]

Essential information

Published
02/05/2026 05:16
Modified
02/05/2026 05:16
Author
Creator
CVSS
5.4 MEDIUM (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS metrics

Description

The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
wordfence / my social feeds feed embedder cpe:2.3:a:wordfence:my_social_feeds_feed_embedder:<1.0.4:*:*:*:*:wordpress:*:*

References