Skip to main content

Tiktok Feed CVE-2026-24520

| EUVDEUVD-2026-31966 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 Patchstack GHSA-3jjj-xvhm-h2jj
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 12:10 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Tiktok Feed: from n/a through 1.0.24.

AnalysisAI

Broken access control in the bPlugins Tiktok Feed WordPress plugin (versions through 1.0.24) permits authenticated low-privileged users to perform actions that should be restricted to higher-privileged roles due to missing server-side authorization checks (CWE-862). Exploitation allows limited integrity impact - an attacker with a basic WordPress account could manipulate plugin-controlled data or settings without proper permission. No public exploit code exists and no active exploitation is confirmed at time of analysis; SSVC and EPSS signals both indicate low urgency.

Technical ContextAI

The affected product is the bPlugins Tiktok Feed plugin for WordPress, identified by CPE cpe:2.3:a:bplugins:tiktok_feed:*:*:*:*:*:*:*:*. CWE-862 (Missing Authorization) indicates the root cause is the absence of capability checks - the plugin exposes one or more AJAX endpoints or admin actions without verifying that the requesting user possesses sufficient WordPress role permissions (e.g., manage_options or equivalent). WordPress plugins are expected to call current_user_can() before executing privileged operations; absence of this check means any authenticated user, including subscribers, can trigger restricted functionality. The CVSS scope is unchanged (S:U), meaning the vulnerability is contained within the plugin's own context and does not directly affect the broader WordPress core or OS.

RemediationAI

Update the bPlugins Tiktok Feed plugin beyond version 1.0.24 via the WordPress plugin dashboard. A patched release is expected given coordinated Patchstack disclosure, but the exact fixed version number is not confirmed in the available data - verify the current release version in the WordPress plugin repository or via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/b-tiktok-feed/vulnerability/wordpress-tiktok-feed-plugin-1-0-24-broken-access-control-vulnerability before updating. As a compensating control where immediate update is not possible, site administrators should audit whether open user registration is enabled (Settings > General > Anyone can register) and disable it if not operationally required, since this would eliminate the low-privilege account vector for external attackers. Additionally, consider using a WordPress firewall plugin (e.g., Wordfence, Patchstack) capable of virtual patching this specific vulnerability, though this introduces dependency on a third-party rule update cycle.

Share

CVE-2026-24520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy