Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Tiktok Feed: from n/a through 1.0.24.
AnalysisAI
Broken access control in the bPlugins Tiktok Feed WordPress plugin (versions through 1.0.24) permits authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles due to missing server-side authorization checks (CWE-862). Exploitation allows limited integrity impact - an attacker with a basic WordPress account could manipulate plugin-controlled data or settings without proper permission. No public exploit code exists and no active exploitation is confirmed at time of analysis; SSVC and EPSS signals both indicate low urgency.
Technical ContextAI
The affected product is the bPlugins Tiktok Feed plugin for WordPress, identified by CPE cpe:2.3:a:bplugins:tiktok_feed:*:*:*:*:*:*:*:*. CWE-862 (Missing Authorization) indicates the root cause is the absence of capability checks - the plugin exposes one or more AJAX endpoints or admin actions without verifying that the requesting user possesses sufficient WordPress role permissions (e.g., manage_options or equivalent). WordPress plugins are expected to call current_user_can() before executing privileged operations; absence of this check means any authenticated user, including subscribers, can trigger restricted functionality. The CVSS scope is unchanged (S:U), meaning the vulnerability is contained within the plugin's own context and does not directly affect the broader WordPress core or OS.
RemediationAI
Update the bPlugins Tiktok Feed plugin beyond version 1.0.24 via the WordPress plugin dashboard. A patched release is expected given coordinated Patchstack disclosure, but the exact fixed version number is not confirmed in the available data - verify the current release version in the WordPress plugin repository or via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/b-tiktok-feed/vulnerability/wordpress-tiktok-feed-plugin-1-0-24-broken-access-control-vulnerability before updating. As a compensating control where immediate update is not possible, site administrators should audit whether open user registration is enabled (Settings > General > Anyone can register) and disable it if not operationally required, since this would eliminate the low-privilege account vector for external attackers. Additionally, consider using a WordPress firewall plugin (e.g., Wordfence, Patchstack) capable of virtual patching this specific vulnerability, though this introduces dependency on a third-party rule update cycle.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31966
GHSA-3jjj-xvhm-h2jj