CVE-2026-6446

Name of the Vulnerable Software and Affected Versions My Social Feeds – Social Feeds Embedder versions prior to 1.0.5

Description The plugin is subject to sensitive information exposure via the 'ttp get accounts' AJAX action. The get accounts() function lacks authorization checks and nonce verification, allowing authenticated attackers with Subscriber-level access or higher to retrieve the full contents of the ttp tiktok accounts WordPress option. This includes sensitive TikTok OAuth credentials, specifically access token and refresh token values from administrator-connected accounts, which can be used to impersonate the site owner when interacting with the TikTok API.

Recommendations Update the plugin to a version later than 1.0.4. As a temporary workaround, restrict access to the 'ttp get accounts' AJAX action to prevent unauthorized users from calling the get accounts() function.