CVE-2025-63016
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in quadlayers QuadLayers TikTok Feed wp-tiktok-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QuadLayers TikTok Feed: from n/a through <= 4.6.5.
AnalysisAI
Missing authorization in QuadLayers TikTok Feed WordPress plugin versions through 4.6.5 allows unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper validation of user permissions, enabling unauthorized access to protected functionality or data. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass classification suggests potential for privilege escalation or unauthorized administrative actions if discovered by an attacker.
Technical ContextAI
QuadLayers TikTok Feed (wp-tiktok-feed) is a WordPress plugin that integrates TikTok content feeds into WordPress sites. The vulnerability is rooted in CWE-862 (Missing Authorization), a common WordPress plugin flaw where function calls lack proper capability checks or nonce verification. Specifically, the plugin fails to implement adequate access control validation when processing requests, allowing users without proper permissions to access administrative or restricted functionalities. This typically manifests as missing capability checks in AJAX handlers, REST API endpoints, or admin pages that should require authenticated user roles with specific capabilities.
Affected ProductsAI
QuadLayers TikTok Feed plugin (wp-tiktok-feed) versions through 4.6.5 are affected. The vulnerability impacts all installations on WordPress sites running version 4.6.5 or earlier. Vendor advisory and vulnerability details are available via Patchstack database (https://patchstack.com/database/Wordpress/Plugin/wp-tiktok-feed/vulnerability/wordpress-quadlayers-tiktok-feed-plugin-4-6-4-broken-access-control-vulnerability).
RemediationAI
Upgrade QuadLayers TikTok Feed plugin immediately to a version released after 4.6.5. Users should navigate to their WordPress dashboard, locate the plugin in the Plugins section, and perform an immediate update to the latest available version once released by QuadLayers. If an update is not yet available from the WordPress plugin repository, disable the plugin until a patched version is confirmed. Verify the update installation by confirming the new version number in the Plugins menu. For WordPress administrators managing multiple sites, consider implementing automated plugin update policies to prevent delayed patching. Additional details and security advisories are available at Patchstack (https://patchstack.com/database/Wordpress/Plugin/wp-tiktok-feed).
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today