Skip to main content

CVE-2025-63016

MEDIUM
Missing Authorization (CWE-862)
2025-12-31 audit@patchstack.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Apr 23, 2026 - 15:43 NVD
5.3 (MEDIUM)
Analysis Generated
Apr 01, 2026 - 17:44 vuln.today
CVE Published
Dec 31, 2025 - 15:15 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in quadlayers QuadLayers TikTok Feed wp-tiktok-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QuadLayers TikTok Feed: from n/a through <= 4.6.5.

AnalysisAI

Missing authorization in QuadLayers TikTok Feed WordPress plugin versions through 4.6.5 allows unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper validation of user permissions, enabling unauthorized access to protected functionality or data. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass classification suggests potential for privilege escalation or unauthorized administrative actions if discovered by an attacker.

Technical ContextAI

QuadLayers TikTok Feed (wp-tiktok-feed) is a WordPress plugin that integrates TikTok content feeds into WordPress sites. The vulnerability is rooted in CWE-862 (Missing Authorization), a common WordPress plugin flaw where function calls lack proper capability checks or nonce verification. Specifically, the plugin fails to implement adequate access control validation when processing requests, allowing users without proper permissions to access administrative or restricted functionalities. This typically manifests as missing capability checks in AJAX handlers, REST API endpoints, or admin pages that should require authenticated user roles with specific capabilities.

Affected ProductsAI

QuadLayers TikTok Feed plugin (wp-tiktok-feed) versions through 4.6.5 are affected. The vulnerability impacts all installations on WordPress sites running version 4.6.5 or earlier. Vendor advisory and vulnerability details are available via Patchstack database (https://patchstack.com/database/Wordpress/Plugin/wp-tiktok-feed/vulnerability/wordpress-quadlayers-tiktok-feed-plugin-4-6-4-broken-access-control-vulnerability).

RemediationAI

Upgrade QuadLayers TikTok Feed plugin immediately to a version released after 4.6.5. Users should navigate to their WordPress dashboard, locate the plugin in the Plugins section, and perform an immediate update to the latest available version once released by QuadLayers. If an update is not yet available from the WordPress plugin repository, disable the plugin until a patched version is confirmed. Verify the update installation by confirming the new version number in the Plugins menu. For WordPress administrators managing multiple sites, consider implementing automated plugin update policies to prevent delayed patching. Additional details and security advisories are available at Patchstack (https://patchstack.com/database/Wordpress/Plugin/wp-tiktok-feed).

Share

CVE-2025-63016 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy