CVE-2026-24520
Authorization Bypass in Tiktok Feed Plugin
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bplugins | tiktok_feed | to 1.0.24 (inc) |
| bplugins | tiktok_feed | From 1.0.0 (inc) to 1.0.24 (inc) |
| bplugins | tiktok_feed | 1.0.25 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24520 is a Broken Access Control vulnerability in the WordPress TikTok Feed Plugin versions 1.0.24 and earlier. It occurs due to missing authorization checks, allowing users with low privileges, such as Subscribers, to perform actions that normally require higher privileges.
This vulnerability is caused by incorrectly configured access control security levels, meaning the plugin does not properly verify if a user is authorized to perform certain actions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the Missing Authorization vulnerability in the bPlugins TikTok Feed plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could perform unauthorized actions on a website using the vulnerable TikTok Feed plugin, potentially leading to unauthorized changes or disruptions.
Because the vulnerability allows low-privileged users to escalate their capabilities, it could be used in mass campaigns targeting thousands of websites, increasing the risk of widespread exploitation.
The CVSS score of 4.3 indicates a low severity, but the impact on integrity could still be significant depending on the actions performed by the attacker.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unprivileged users, such as those with a Subscriber role, to perform actions requiring higher privileges due to missing authorization checks in the WordPress TikTok Feed Plugin versions 1.0.24 and earlier.
Detection would involve verifying if the plugin version is 1.0.24 or earlier and checking for unauthorized access attempts or privilege escalations related to the TikTok Feed plugin endpoints.
Specific commands are not provided in the available resources, but general approaches include:
- Checking the installed plugin version via WP-CLI: `wp plugin list | grep tiktok-feed`
- Reviewing web server logs for suspicious access patterns or unauthorized actions targeting TikTok Feed plugin URLs.
- Using security plugins or tools to scan for known vulnerabilities in installed WordPress plugins.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step to mitigate this vulnerability is to update the WordPress TikTok Feed Plugin to version 1.0.25 or later, where the broken access control issue has been patched.
Additionally, enabling auto-updates for vulnerable plugins can help ensure timely application of security patches.
Monitoring and restricting user roles to minimize unprivileged users performing sensitive actions can also reduce risk until the update is applied.