CVE-2025-66110

Vulnerability

Overview The Tiktok Feed plugin for WordPress (versions up to and including 1.0.23) suffers from a missing authorization vulnerability. The plugin fails to properly enforce access control checks on certain functions, leaving them exposed to users without the necessary privileges. This broken access control issue stems from missing capability checks or nonce verification, allowing attackers to bypass intended security restrictions [1].

Exploitation

Details Attackers can exploit this vulnerability without requiring authentication or with only minimal user-level access. The advisory notes that such vulnerabilities are frequently used in mass-exploit campaigns, targeting thousands of websites simultaneously regardless of their size or popularity [1]. The attack surface is broad because the plugin is widely installed, and the lack of proper authorization makes it trivial to trigger the vulnerable functionality.

Impact

Successful exploitation could allow an attacker to access or modify plugin settings, potentially leading to data exposure, site defacement, or further compromise. The CVSS v3 base score of 5.3 (Medium) reflects the potential for unauthorized access to sensitive information or functionality, though the impact is limited by the plugin's scope [1].

Mitigation

The vendor has released version 1.0.24, which addresses the missing authorization issue. Users are strongly advised to update immediately. For those unable to update, consulting a hosting provider or web developer is recommended. Patchstack users can enable auto-updates for vulnerable plugins to ensure timely patching [1].