CVE-2026-6446
Sensitive Information Exposure in My Social Feeds WordPress Plugin
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| my_social_feeds | social_feeds_embedder | to 1.0.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-522 | The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The My Social Feeds β Social Feeds Embedder plugin for WordPress has a vulnerability in all versions up to and including 1.0.4. This vulnerability is due to the absence of authorization and nonce verification in the get_accounts() function, which is triggered via the 'ttp_get_accounts' AJAX action.
Because of this, authenticated users with Subscriber-level access or higher can retrieve sensitive TikTok OAuth credentials stored in the 'ttp_tiktok_accounts' WordPress option. These credentials include access_token and refresh_token values that belong to administrator-connected TikTok accounts.
This allows attackers to impersonate the site owner when interacting with the TikTok API.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with low-level authenticated access (Subscriber or above) to obtain sensitive TikTok OAuth credentials of the site administrators.
With these credentials, the attacker can impersonate the site owner on TikTok, potentially leading to unauthorized actions on the TikTok account linked to the site.
This could result in unauthorized content posting, data leakage, or other malicious activities performed via the TikTok API under the guise of the legitimate site owner.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers with Subscriber-level access to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, of administrator-connected TikTok accounts. This exposure of sensitive information could potentially lead to unauthorized access and impersonation of the site owner when interacting with the TikTok API.
Such sensitive information exposure may impact compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure.
However, the provided context does not explicitly state the direct effects on compliance with these standards or any specific regulatory implications.