[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ff41LEs0T-noFMpl6HD5MS6vV6OrPg7DDa8zz0yYk6HI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-24520","feeds-for-tiktok-display-video-feeds-in-grid-layouts-missing-authorization","Feeds for TikTok – Display Video Feeds in Grid Layouts \u003C= 1.0.24 - Missing Authorization","The Feeds for TikTok – Display Video Feeds in Grid Layouts plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","b-tiktok-feed",null,"\u003C=1.0.24","1.0.25","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 00:00:00","2026-06-01 16:28:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F44895f32-d5be-4dc7-85d2-539ff1720b37?source=api-prod",7,[22,23,24,25,26,27,28],"build\u002Findex.asset.php","build\u002Findex.js","includes\u002Fapi\u002FTiktokAPI.php","index.php","languages\u002Fb-tiktok-feed-en_US.po","languages\u002Fb-tiktok-feed.pot","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-24520 (Feeds for TikTok - Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **Feeds for TikTok – Display Video Feeds in Grid Layouts** plugin (versions \u003C= 1.0.24) is vulnerable to missing authorization in its AJAX handlers. Specifically, the function `ttp_tiktok_clear` in the `TTP_TikTok\\TTP_TikTok_Api` class handles requests to clear the plugin's cache or disconnect the TikTok account without performing any capability checks (e.g., `current_user_can('manage_options')`). \n\nWhile the handler verifies a WordPress nonce (`ttp_fetch_data_nonce`), this nonce is enqueued on frontend pages where the TikTok block is present, making it accessible to authenticated users (including Subscribers). An attacker can use this to perform a Denial of Service (DoS) by deleting the plugin's TikTok access tokens and feed data.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `ttp_tiktok_clear`\n*   **Vulnerable Class:** `TTP_TikTok\\TTP_TikTok_Api`\n*   **Vulnerable Method:** `ttp_tiktok_clear` (Line 161 of `includes\u002Fapi\u002FTiktokAPI.php`)\n*   **Authentication Required:** Authenticated, Subscriber-level access (`wp_ajax` hook).\n*   **Payload Parameter:** `action_type=unauthorized` (to disconnect) or `action_type=clear_cache`.\n*   **Preconditions:**\n    1.  The plugin must be active.\n    2.  The attacker must have a valid Subscriber-level account.\n    3.  A valid nonce for `ttp_fetch_data_nonce` must be obtained from the frontend.\n\n## 3. Code Flow\n1.  **Registration:** The plugin registers the AJAX handler in `includes\u002Fapi\u002FTiktokAPI.php`:\n    ```php\n    add_action('wp_ajax_ttp_tiktok_clear', [$this, 'ttp_tiktok_clear']);\n    ```\n2.  **Execution:** When a request is made to `admin-ajax.php?action=ttp_tiktok_clear`:\n    -   `ttp_tiktok_clear()` is called.\n    -   `wp_verify_nonce(sanitize_text_field($_GET['nonce']), 'ttp_fetch_data_nonce')` is checked (Line 163).\n    -   **Missing:** There is no call to `current_user_can()`.\n3.  **Sink:** Depending on `action_type`:\n    -   If `action_type === 'unauthorized'`:\n        ```php\n        foreach ($this->transient as $transient) {\n            delete_transient($transient); \u002F\u002F Deletes ttp_tiktok_access_token, etc.\n        }\n        ```\n    -   This effectively disconnects the site from TikTok.\n\n## 4. Nonce Acquisition Strategy\nThe nonce is localized in the `enqueueTiktokAssets` function in `index.php`:\n```php\nwp_localize_script('ttp-fancyApp', 'ttpData', [\n    'ajaxUrl' => admin_url('admin-ajax.php'),\n    'nonce' => wp_create_nonce('ttp_fetch_data_nonce'),\n    \u002F\u002F ...\n]);\n```\nThe script `ttp-fancyApp` is registered and localized when block assets are enqueued.\n\n**Strategy:**\n1.  Identify the block name: `b-tiktok-feed\u002Fb-tiktok-feed` (from `build\u002Fblock.json`).\n2.  Create a post\u002Fpage containing this block.\n3.  As a Subscriber, navigate to that page.\n4.  Extract the nonce from the `window.ttpData` object using `browser_eval`.\n\n**JS variable path:** `window.ttpData.nonce`\n\n## 5. Exploitation Strategy\n### Step 1: Obtain Nonce\n1.  Login as Subscriber.\n2.  Navigate to the page containing the TikTok feed.\n3.  Execute: `browser_eval(\"window.ttpData.nonce\")`.\n\n### Step 2: Trigger Account Disconnection (DoS)\nSend an AJAX request to delete the access tokens:\n*   **Method:** GET (The code uses `$_GET['nonce']` and `$_GET['action_type']`)\n*   **URL:** `http:\u002F\u002Fvictims-wp.local\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Query Parameters:**\n    *   `action`: `ttp_tiktok_clear`\n    *   `action_type`: `unauthorized`\n    *   `nonce`: `[EXTRACTED_NONCE]`\n\n### Step 3: Verify Destruction\nAn attempt to fetch the feed data will now return empty results because `ttp_tiktok_access_token` is gone.\n\n## 6. Test Data Setup\n1.  **Plugin Configuration:** Install and activate `b-tiktok-feed` version 1.0.24.\n2.  **Simulate Authentication:** Use WP-CLI to manually set a dummy access token to represent an active connection:\n    ```bash\n    wp transient set ttp_tiktok_access_token \"mock_token_12345\" 3600\n    wp transient set ttp_tiktok_authorized_data \"mock_data\" 3600\n    ```\n3.  **Create Content:** Create a page with the TikTok block to expose the nonce:\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"TikTok Feed\" --post_content='\u003C!-- wp:b-tiktok-feed\u002Fb-tiktok-feed \u002F-->'\n    ```\n4.  **Create Attacker:**\n    ```bash\n    wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n    ```\n\n## 7. Expected Results\n*   **HTTP Response:** 200 OK.\n*   **Body:** `{\"videos\":[],\"user_info\":[]}` (encoded via `wp_kses_post`).\n*   **System State:** The transients `ttp_tiktok_access_token` and `ttp_tiktok_authorized_data` will be deleted from the database.\n\n## 8. Verification Steps\nAfter the exploit, check the transient state via WP-CLI:\n```bash\nwp transient get ttp_tiktok_access_token\n# Expected: \"Error: Transient with key \"ttp_tiktok_access_token\" not found.\"\n```\n\n## 9. Alternative Approaches\nIf `action_type=unauthorized` fails for any reason, try `action_type=clear_cache`. \nWhile \"Clear Cache\" sounds benign, the `ttp_tiktok_clear` function calls `getData()` after clearing the cache. If an attacker can manipulate parameters like `videoCacheTime` or `profileCacheTime` (which are also taken from `$_GET`), they might be able to influence transient durations, although the primary impact remains the unauthorized invocation of the clearing logic itself.","The Feeds for TikTok plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in its `ttp_tiktok_clear` AJAX handler. This allows authenticated attackers, such as subscribers, to clear the plugin's cache or disconnect the TikTok account by deleting the stored access tokens.","\u002F\u002F includes\u002Fapi\u002FTiktokAPI.php line 42\nadd_action('wp_ajax_ttp_tiktok_clear', [$this, 'ttp_tiktok_clear']);\n\n\u002F\u002F includes\u002Fapi\u002FTiktokAPI.php line 161\npublic function ttp_tiktok_clear()\n{\n    if (!wp_verify_nonce(sanitize_text_field($_GET['nonce']), 'ttp_fetch_data_nonce')) {\n        echo wp_kses_post(wp_json_encode(['invalid nonce']));\n        wp_die();\n    }\n\n    $action = sanitize_text_field($_GET['action_type']) ?? 'clear_cache';\n    $max_count = sanitize_text_field($_GET['max_count']) ?? 20;\n    $videoCacheTime = sanitize_text_field($_GET['videoCacheTime']) ?? false;\n    $profileCacheTime = sanitize_text_field($_GET['profileCacheTime']) ?? false;\n    $key = sanitize_text_field($_GET['key']) ?? false;\n    $device = sanitize_text_field($_GET['device']) ?? 'mobile';\n\n    if ($action === 'clear_cache') {\n        delete_transient($key . '_ttp_tiktok_videos_' . $device);\n        delete_transient('ttp_tiktok_user_info');\n        echo wp_kses_post($this->getData($key, $max_count, false, $videoCacheTime, $profileCacheTime));\n    }\n\n    if ($action === 'unauthorized') {\n\n        foreach ($this->transient as $transient) {\n            delete_transient($transient);\n        }\n        delete_transient($key . '_ttp_tiktok_videos_' . $device);\n\n        echo wp_kses_post(wp_json_encode(['videos' => [], 'user_info' => []]));\n    }\n    wp_die();\n}","--- includes\u002Fapi\u002FTiktokAPI.php\n+++ includes\u002Fapi\u002FTiktokAPI.php\n@@ -165,6 +165,10 @@\n                 wp_die();\n             }\n \n+            if (!current_user_can('manage_options')) {\n+                wp_die('Unauthorized');\n+            }\n+\n             $action = sanitize_text_field($_GET['action_type']) ?? 'clear_cache';\n             $max_count = sanitize_text_field($_GET['max_count']) ?? 20;\n             $videoCacheTime = sanitize_text_field($_GET['videoCacheTime']) ?? false;","1. Log in to the WordPress site as a user with Subscriber-level privileges.\n2. Navigate to a public page or post where a TikTok feed block is rendered to locate the localized script data.\n3. Extract the `ttp_fetch_data_nonce` from the global JavaScript object `window.ttpData.nonce`.\n4. Construct an AJAX request to `\u002Fwp-admin\u002Fadmin-ajax.php` using the extracted nonce.\n5. Set the `action` parameter to `ttp_tiktok_clear` and the `action_type` parameter to `unauthorized`.\n6. Send the request, which triggers the deletion of the `ttp_tiktok_access_token` transient, effectively disabling the site's TikTok integration.","gemini-3-flash-preview","2026-06-04 20:53:38","2026-06-04 20:54:01",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","1.0.24","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-tiktok-feed\u002Ftags\u002F1.0.24","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb-tiktok-feed.1.0.24.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-tiktok-feed\u002Ftags\u002F1.0.25","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fb-tiktok-feed.1.0.25.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fb-tiktok-feed\u002Ftags"]