CVE-2026-24520

Feeds for TikTok – Display Video Feeds in Grid Layouts <= 1.0.24 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.0.25
Patched in
7d
Time to patch

Description

The Feeds for TikTok – Display Video Feeds in Grid Layouts plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.24
PublishedMay 26, 2026
Last updatedJune 1, 2026
Affected pluginb-tiktok-feed

What Changed in the Fix

Changes introduced in v1.0.25

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24520 (Feeds for TikTok - Missing Authorization) ## 1. Vulnerability Summary The **Feeds for TikTok – Display Video Feeds in Grid Layouts** plugin (versions <= 1.0.24) is vulnerable to missing authorization in its AJAX handlers. Specifically, the function `ttp…

Show full research plan

Exploitation Research Plan: CVE-2026-24520 (Feeds for TikTok - Missing Authorization)

1. Vulnerability Summary

The Feeds for TikTok – Display Video Feeds in Grid Layouts plugin (versions <= 1.0.24) is vulnerable to missing authorization in its AJAX handlers. Specifically, the function ttp_tiktok_clear in the TTP_TikTok\TTP_TikTok_Api class handles requests to clear the plugin's cache or disconnect the TikTok account without performing any capability checks (e.g., current_user_can('manage_options')).

While the handler verifies a WordPress nonce (ttp_fetch_data_nonce), this nonce is enqueued on frontend pages where the TikTok block is present, making it accessible to authenticated users (including Subscribers). An attacker can use this to perform a Denial of Service (DoS) by deleting the plugin's TikTok access tokens and feed data.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • AJAX Action: ttp_tiktok_clear
  • Vulnerable Class: TTP_TikTok\TTP_TikTok_Api
  • Vulnerable Method: ttp_tiktok_clear (Line 161 of includes/api/TiktokAPI.php)
  • Authentication Required: Authenticated, Subscriber-level access (wp_ajax hook).
  • Payload Parameter: action_type=unauthorized (to disconnect) or action_type=clear_cache.
  • Preconditions:
    1. The plugin must be active.
    2. The attacker must have a valid Subscriber-level account.
    3. A valid nonce for ttp_fetch_data_nonce must be obtained from the frontend.

3. Code Flow

  1. Registration: The plugin registers the AJAX handler in includes/api/TiktokAPI.php:
    add_action('wp_ajax_ttp_tiktok_clear', [$this, 'ttp_tiktok_clear']);
    
  2. Execution: When a request is made to admin-ajax.php?action=ttp_tiktok_clear:
    • ttp_tiktok_clear() is called.
    • wp_verify_nonce(sanitize_text_field($_GET['nonce']), 'ttp_fetch_data_nonce') is checked (Line 163).
    • Missing: There is no call to current_user_can().
  3. Sink: Depending on action_type:
    • If action_type === 'unauthorized':
      foreach ($this->transient as $transient) {
          delete_transient($transient); // Deletes ttp_tiktok_access_token, etc.
      }
      
    • This effectively disconnects the site from TikTok.

4. Nonce Acquisition Strategy

The nonce is localized in the enqueueTiktokAssets function in index.php:

wp_localize_script('ttp-fancyApp', 'ttpData', [
    'ajaxUrl' => admin_url('admin-ajax.php'),
    'nonce' => wp_create_nonce('ttp_fetch_data_nonce'),
    // ...
]);

The script ttp-fancyApp is registered and localized when block assets are enqueued.

Strategy:

  1. Identify the block name: b-tiktok-feed/b-tiktok-feed (from build/block.json).
  2. Create a post/page containing this block.
  3. As a Subscriber, navigate to that page.
  4. Extract the nonce from the window.ttpData object using browser_eval.

JS variable path: window.ttpData.nonce

5. Exploitation Strategy

Step 1: Obtain Nonce

  1. Login as Subscriber.
  2. Navigate to the page containing the TikTok feed.
  3. Execute: browser_eval("window.ttpData.nonce").

Step 2: Trigger Account Disconnection (DoS)

Send an AJAX request to delete the access tokens:

  • Method: GET (The code uses $_GET['nonce'] and $_GET['action_type'])
  • URL: http://victims-wp.local/wp-admin/admin-ajax.php
  • Query Parameters:
    • action: ttp_tiktok_clear
    • action_type: unauthorized
    • nonce: [EXTRACTED_NONCE]

Step 3: Verify Destruction

An attempt to fetch the feed data will now return empty results because ttp_tiktok_access_token is gone.

6. Test Data Setup

  1. Plugin Configuration: Install and activate b-tiktok-feed version 1.0.24.
  2. Simulate Authentication: Use WP-CLI to manually set a dummy access token to represent an active connection:
    wp transient set ttp_tiktok_access_token "mock_token_12345" 3600
    wp transient set ttp_tiktok_authorized_data "mock_data" 3600
    
  3. Create Content: Create a page with the TikTok block to expose the nonce:
    wp post create --post_type=page --post_status=publish --post_title="TikTok Feed" --post_content='<!-- wp:b-tiktok-feed/b-tiktok-feed /-->'
    
  4. Create Attacker:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password
    

7. Expected Results

  • HTTP Response: 200 OK.
  • Body: {"videos":[],"user_info":[]} (encoded via wp_kses_post).
  • System State: The transients ttp_tiktok_access_token and ttp_tiktok_authorized_data will be deleted from the database.

8. Verification Steps

After the exploit, check the transient state via WP-CLI:

wp transient get ttp_tiktok_access_token
# Expected: "Error: Transient with key "ttp_tiktok_access_token" not found."

9. Alternative Approaches

If action_type=unauthorized fails for any reason, try action_type=clear_cache.
While "Clear Cache" sounds benign, the ttp_tiktok_clear function calls getData() after clearing the cache. If an attacker can manipulate parameters like videoCacheTime or profileCacheTime (which are also taken from $_GET), they might be able to influence transient durations, although the primary impact remains the unauthorized invocation of the clearing logic itself.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Feeds for TikTok plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in its `ttp_tiktok_clear` AJAX handler. This allows authenticated attackers, such as subscribers, to clear the plugin's cache or disconnect the TikTok account by deleting the stored access tokens.

Vulnerable Code

// includes/api/TiktokAPI.php line 42
add_action('wp_ajax_ttp_tiktok_clear', [$this, 'ttp_tiktok_clear']);

// includes/api/TiktokAPI.php line 161
public function ttp_tiktok_clear()
{
    if (!wp_verify_nonce(sanitize_text_field($_GET['nonce']), 'ttp_fetch_data_nonce')) {
        echo wp_kses_post(wp_json_encode(['invalid nonce']));
        wp_die();
    }

    $action = sanitize_text_field($_GET['action_type']) ?? 'clear_cache';
    $max_count = sanitize_text_field($_GET['max_count']) ?? 20;
    $videoCacheTime = sanitize_text_field($_GET['videoCacheTime']) ?? false;
    $profileCacheTime = sanitize_text_field($_GET['profileCacheTime']) ?? false;
    $key = sanitize_text_field($_GET['key']) ?? false;
    $device = sanitize_text_field($_GET['device']) ?? 'mobile';

    if ($action === 'clear_cache') {
        delete_transient($key . '_ttp_tiktok_videos_' . $device);
        delete_transient('ttp_tiktok_user_info');
        echo wp_kses_post($this->getData($key, $max_count, false, $videoCacheTime, $profileCacheTime));
    }

    if ($action === 'unauthorized') {

        foreach ($this->transient as $transient) {
            delete_transient($transient);
        }
        delete_transient($key . '_ttp_tiktok_videos_' . $device);

        echo wp_kses_post(wp_json_encode(['videos' => [], 'user_info' => []]));
    }
    wp_die();
}

Security Fix

--- includes/api/TiktokAPI.php
+++ includes/api/TiktokAPI.php
@@ -165,6 +165,10 @@
                 wp_die();
             }
 
+            if (!current_user_can('manage_options')) {
+                wp_die('Unauthorized');
+            }
+
             $action = sanitize_text_field($_GET['action_type']) ?? 'clear_cache';
             $max_count = sanitize_text_field($_GET['max_count']) ?? 20;
             $videoCacheTime = sanitize_text_field($_GET['videoCacheTime']) ?? false;

Exploit Outline

1. Log in to the WordPress site as a user with Subscriber-level privileges. 2. Navigate to a public page or post where a TikTok feed block is rendered to locate the localized script data. 3. Extract the `ttp_fetch_data_nonce` from the global JavaScript object `window.ttpData.nonce`. 4. Construct an AJAX request to `/wp-admin/admin-ajax.php` using the extracted nonce. 5. Set the `action` parameter to `ttp_tiktok_clear` and the `action_type` parameter to `unauthorized`. 6. Send the request, which triggers the deletion of the `ttp_tiktok_access_token` transient, effectively disabling the site's TikTok integration.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.