CVE-2026-6446 affects the My Social Feeds – Social Feeds Embedder plugin for WordPress, versions up to and including 1.0.4. The vulnerability arises from the get_accounts() function, which handles the 'ttp_get_accounts' AJAX action without performing any authorization or nonce checks. As a result, authenticated users with minimal privileges (Subscriber-level and above) can access the full contents of the 'ttp_tiktok_accounts' WordPress option. This option stores sensitive TikTok OAuth credentials, including access_token and refresh_token values linked to administrator accounts. Exploiting this flaw allows attackers to impersonate the site owner in TikTok API interactions. The issue is categorized under CWE-522 due to insufficient protection of credentials. There is no vendor advisory or patch available at this time.

The vulnerability exposes sensitive TikTok OAuth credentials to authenticated users with Subscriber-level privileges or higher, which could lead to unauthorized TikTok API access under the site owner's identity. This may enable attackers to perform actions on TikTok as the site owner, potentially compromising the integrity of linked social media accounts. The CVSS score of 5.4 indicates a medium severity impact focused on confidentiality and integrity. There are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user roles to trusted individuals only, as the vulnerability requires authenticated access with Subscriber-level privileges or higher. Monitor plugin updates from bplugins for a security patch addressing this issue.