CVE-2026-6446 Overview
CVE-2026-6446 affects the My Social Feeds – Social Feeds Embedder plugin for WordPress in all versions up to and including 1.0.4. The vulnerability stems from missing authorization and nonce verification in the ttp_get_accounts AJAX action, which exposes the contents of the ttp_tiktok_accounts WordPress option. Authenticated users with Subscriber-level access or higher can retrieve TikTok OAuth credentials, including access_token and refresh_token values, belonging to administrator-connected TikTok accounts. This sensitive information exposure maps to CWE-522: Insufficiently Protected Credentials.
Critical Impact
Subscriber-level attackers can extract TikTok OAuth access and refresh tokens, enabling impersonation of the site owner against the TikTok API.
Affected Products
- My Social Feeds – Social Feeds Embedder plugin for WordPress, versions through 1.0.4
- WordPress sites with the plugin active and at least one administrator-linked TikTok account
- Any registered user role at Subscriber level or above can trigger the exposure
Discovery Timeline
- 2026-05-02 - CVE-2026-6446 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-6446
Vulnerability Analysis
The plugin registers the ttp_get_accounts AJAX action, which is handled by the get_accounts() function inside includes/TiktokAPI.php. The handler returns the entire ttp_tiktok_accounts WordPress option to any authenticated request without verifying the caller's capability or validating a nonce. Because WordPress exposes wp_ajax_* endpoints to all logged-in users by default, any account at Subscriber level or higher can invoke the action.
The ttp_tiktok_accounts option stores OAuth artifacts created when an administrator connects a TikTok account, including access_token, refresh_token, and associated account identifiers. Disclosing these tokens allows an attacker to call the TikTok API as the connected administrator, post or modify content, and refresh tokens to maintain prolonged access. The disclosure occurs entirely outside the WordPress admin context, so no UI interaction is required beyond a single authenticated AJAX request.
Root Cause
The root cause is the complete absence of authorization checks in get_accounts(). The function does not call current_user_can() to enforce a capability such as manage_options, and it does not call check_ajax_referer() to validate a nonce. Sensitive credentials stored in a WordPress option are returned directly in the AJAX response.
Attack Vector
An attacker registers or compromises a low-privilege WordPress account on the target site. The attacker then issues an authenticated POST request to /wp-admin/admin-ajax.php with action=ttp_get_accounts. The response includes the access_token and refresh_token for every administrator-connected TikTok account, which the attacker uses to authenticate against the TikTok API as the site owner.
No verified proof-of-concept code is published. Technical references are available in the Wordfence Vulnerability Analysis and the WordPress Plugin Source Code.
Detection Methods for CVE-2026-6446
Indicators of Compromise
- Unexpected POST requests to /wp-admin/admin-ajax.php containing action=ttp_get_accounts from non-administrator sessions.
- TikTok API activity (posts, profile changes, token refreshes) originating from IP addresses or user agents not associated with the site owner.
- Newly registered low-privilege WordPress accounts followed by AJAX traffic to the ttp_get_accounts endpoint.
Detection Strategies
- Inspect web server and WordPress access logs for the ttp_get_accounts action paired with low-privilege session cookies.
- Correlate WordPress authentication events with subsequent AJAX calls to identify Subscriber-tier accounts probing administrative endpoints.
- Monitor TikTok account activity logs for sessions or token usage that does not correspond to administrator-initiated workflows.
Monitoring Recommendations
- Alert on any HTTP 200 responses to ttp_get_accounts whose response body includes the strings access_token or refresh_token.
- Track creation of new Subscriber accounts on sites running the My Social Feeds plugin and review their AJAX call patterns.
- Enable WordPress audit logging to capture changes to the ttp_tiktok_accounts option and unexpected token refresh events.
How to Mitigate CVE-2026-6446
Immediate Actions Required
- Update the My Social Feeds – Social Feeds Embedder plugin to a version newer than 1.0.4 once the vendor publishes a fixed release.
- Revoke and reissue all TikTok OAuth tokens stored in the ttp_tiktok_accounts option, then reconnect TikTok accounts after patching.
- Audit WordPress user accounts and remove unrecognized Subscriber-level or higher users that may have been created to abuse the endpoint.
Patch Information
The vendor commit history is tracked in the WordPress Commit Changeset. Administrators should install the patched release from the WordPress plugin repository as soon as it becomes available and verify the plugin version after deployment.
Workarounds
- Deactivate the My Social Feeds plugin until a patched version is installed and TikTok tokens have been rotated.
- Restrict open user registration on the WordPress site to prevent attackers from acquiring the Subscriber role required for exploitation.
- Block requests to /wp-admin/admin-ajax.php with action=ttp_get_accounts at the web application firewall, allowing only requests from administrator sessions.
# Example WAF rule (ModSecurity) to block the vulnerable AJAX action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,id:1026644601,phase:2,deny,status:403,msg:'Block CVE-2026-6446 ttp_get_accounts'"
SecRule ARGS:action "@streq ttp_get_accounts" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
