Medium severity4.3NVD Advisory· Published May 26, 2026· Updated May 26, 2026No known patch

CVE-2026-24520

No known patch is available for this vulnerability.

The affected plugin has not been updated on WordPress.org since before this CVE was disclosed; the latest installable version is still vulnerable. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.

CVE-2026-24520

Description

Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Tiktok Feed: from n/a through 1.0.24.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Missing authorization in the TikTok Feed plugin (bPlugins) up to v1.0.24 allows unprivileged users to perform higher-privileged actions.

Vulnerability

The TikTok Feed plugin for WordPress (slug: b-tiktok-feed) from bPlugins contains a missing authorization vulnerability in versions from n/a through 1.0.24 [1]. The issue is a broken access control flaw, where certain functions lack proper authorization, authentication, or nonce token checks, allowing an unprivileged user to execute actions that should require higher privileges [1].

Exploitation

An attacker needs no special authentication; any unauthenticated or low-privileged user can exploit the missing access control checks to trigger the vulnerable functions. No specific sequence of steps is published, but the vulnerability is known to be used in mass-exploit campaigns against thousands of websites simultaneously [1]. The exploitation does not require user interaction or a race window.

Impact

Successful exploitation allows an attacker to perform unauthorized actions with elevated privileges, resulting in information disclosure, data modification, or other unintended operations depending on the affected function. The CVSS v3 score is 4.3 (Medium), with low severity impact on confidentiality and integrity [1].

Mitigation

The vendor released version 1.0.25 as the fixed version [1]. However, the plugin appears abandoned — no updates have been published since January 2026, and the last available release on WordPress.org remains 1.0.25 [2]. Users should update to 1.0.25 immediately if possible, or uninstall the plugin and replace it with an actively-maintained alternative [1][2]. Patchstack users can enable auto-updates for vulnerable plugins [1]. If updating is not possible, contact your hosting provider for assistance [1]. The CVE is not listed in KEV as of publication.

References

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

WordPress/B Tiktok Feedinferred2 versions
<=1.0.24+ 1 more
- (no CPE)range: <=1.0.24
- (no CPE)range: <=1.0.24
Package: https://wordpress.org/plugins/b-tiktok-feed

Patches

Plugin abandonedFeeds for TikTok – Display Video Feeds in Grid Layoutsb-tiktok-feed

This plugin appears unmaintained — its last release on WordPress.org predates this CVE's publication, so no fix has been shipped since the vulnerability was disclosed. The latest installable version is still vulnerable. Users should uninstall it or switch to an actively-maintained alternative.

Source: api.wordpress.org · directory page

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

patchstack.com/database/wordpress/plugin/b-tiktok-feed/vulnerability/wordpress-tiktok-feed-plugin-1-0-24-broken-access-control-vulnerabilitynvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000