CVE-2026-24520
Deferred Deferred - Pending Action
Authorization Bypass in Tiktok Feed Plugin

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: Patchstack

Description
Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-24520
EUVD
EUVD-2026-31966
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
bplugins tiktok_feed to 1.0.24 (inc)
bplugins tiktok_feed From 1.0.0 (inc) to 1.0.24 (inc)
bplugins tiktok_feed 1.0.25
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the Missing Authorization vulnerability in the bPlugins TikTok Feed plugin directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-24520 is a Broken Access Control vulnerability in the WordPress TikTok Feed Plugin versions 1.0.24 and earlier. It occurs due to missing authorization checks, allowing users with low privileges, such as Subscribers, to perform actions that normally require higher privileges.

This vulnerability is caused by incorrectly configured access control security levels, meaning the plugin does not properly verify if a user is authorized to perform certain actions.

Impact Analysis

An attacker exploiting this vulnerability could perform unauthorized actions on a website using the vulnerable TikTok Feed plugin, potentially leading to unauthorized changes or disruptions.

Because the vulnerability allows low-privileged users to escalate their capabilities, it could be used in mass campaigns targeting thousands of websites, increasing the risk of widespread exploitation.

The CVSS score of 4.3 indicates a low severity, but the impact on integrity could still be significant depending on the actions performed by the attacker.

Detection Guidance

This vulnerability allows unprivileged users, such as those with a Subscriber role, to perform actions requiring higher privileges due to missing authorization checks in the WordPress TikTok Feed Plugin versions 1.0.24 and earlier.

Detection would involve verifying if the plugin version is 1.0.24 or earlier and checking for unauthorized access attempts or privilege escalations related to the TikTok Feed plugin endpoints.

Specific commands are not provided in the available resources, but general approaches include:

  • Checking the installed plugin version via WP-CLI: `wp plugin list | grep tiktok-feed`
  • Reviewing web server logs for suspicious access patterns or unauthorized actions targeting TikTok Feed plugin URLs.
  • Using security plugins or tools to scan for known vulnerabilities in installed WordPress plugins.
Mitigation Strategies

The immediate recommended step to mitigate this vulnerability is to update the WordPress TikTok Feed Plugin to version 1.0.25 or later, where the broken access control issue has been patched.

Additionally, enabling auto-updates for vulnerable plugins can help ensure timely application of security patches.

Monitoring and restricting user roles to minimize unprivileged users performing sensitive actions can also reduce risk until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24520. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart