CVE-2026-6446
Deferred Deferred - Pending Action
Sensitive Information Exposure in My Social Feeds WordPress Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-6446
EUVD
EUVD-2026-26735
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
my_social_feeds social_feeds_embedder to 1.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The My Social Feeds – Social Feeds Embedder plugin for WordPress has a vulnerability in all versions up to and including 1.0.4. This vulnerability is due to the absence of authorization and nonce verification in the get_accounts() function, which is triggered via the 'ttp_get_accounts' AJAX action.

Because of this, authenticated users with Subscriber-level access or higher can retrieve sensitive TikTok OAuth credentials stored in the 'ttp_tiktok_accounts' WordPress option. These credentials include access_token and refresh_token values that belong to administrator-connected TikTok accounts.

This allows attackers to impersonate the site owner when interacting with the TikTok API.

Impact Analysis

This vulnerability can allow an attacker with low-level authenticated access (Subscriber or above) to obtain sensitive TikTok OAuth credentials of the site administrators.

With these credentials, the attacker can impersonate the site owner on TikTok, potentially leading to unauthorized actions on the TikTok account linked to the site.

This could result in unauthorized content posting, data leakage, or other malicious activities performed via the TikTok API under the guise of the legitimate site owner.

Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, of administrator-connected TikTok accounts. This exposure of sensitive information could potentially lead to unauthorized access and impersonation of the site owner when interacting with the TikTok API.

Such sensitive information exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.

However, the provided context does not explicitly state the direct effects on compliance with these standards or any specific regulatory implications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart