My Social Feeds WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the My Social Feeds – Social Feeds Embedder plugin for WordPress, affecting all versions through 1.0.4. The issue arises from the 'ttp_get_accounts' AJAX action, which lacks proper authorization and nonce verification. This flaw enables authenticated attackers with Subscriber-level access or higher to access sensitive TikTok OAuth credentials, including access and refresh tokens, from TikTok accounts linked to administrators. Such access could be used to impersonate the site owner on the TikTok API.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to access sensitive TikTok OAuth credentials, including access and refresh tokens, from administrator-connected TikTok accounts. This could enable them to impersonate the site owner when interacting with the TikTok API.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'ttp_get_accounts' AJAX action. This request will bypass authorization checks and nonce verification, allowing access to the 'ttp_tiktok_accounts' WordPress option, which contains sensitive TikTok OAuth credentials for administrator-connected accounts.

Remediation

Users are advised to update the My Social Feeds – Social Feeds Embedder plugin to version 1.0.5 or a newer patched version.