Sensitive Information Exposure in My Social Feeds Plugin for WordPress
CVE-2026-6446

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: My Social Feeds – Social Feeds Embedder Plugin For WordPress
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-6446?

The My Social Feeds – Social Feeds Embedder plugin for WordPress has a significant vulnerability stemming from a lack of authorization checks in the 'ttp_get_accounts' AJAX action. This flaw allows authenticated users, with access levels starting from Subscriber, to exploit the get_accounts() function. Consequently, they can retrieve sensitive OAuth credentials associated with TikTok accounts that are linked to site administrators. The missing capability verification and nonce validation facilitate the unauthorized access to sensitive information such as access_token and refresh_token values, ultimately permitting attackers to impersonate the site owner while interacting with the TikTok API.

Affected Version(s)

My Social Feeds – Social Feeds Embedder Plugin for WordPress 0 <= 1.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/my-social-feed...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Apr 16, 2026

Credit

Teerachai Somprasong

CVE-2026-6446 Data

JSON