PatchSiren cyber security CVE debrief

CVE-2026-24520 bPlugins CVE debrief

CVE-2026-24520 is a Missing Authorization vulnerability in the bPlugins Tiktok Feed WordPress plugin, affecting versions up to and including 1.0.24. The vulnerability allows exploitation of incorrectly configured access control security levels, enabling authenticated attackers with low privileges to perform unauthorized actions. The issue was published in the NVD on May 26, 2026, with a CVSS 3.1 score of 4.3 (MEDIUM severity). The vulnerability is classified under CWE-862 (Missing Authorization). The affected plugin is a WordPress extension for displaying TikTok feeds. No known exploitation in the wild or ransomware campaign use has been reported. The vendor has not been definitively identified in available sources, with Patchstack listed as a reference domain candidate.

Vendor: bPlugins
Product: Tiktok Feed
CVSS: MEDIUM 4.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-26
Original CVE updated: 2026-05-26
Advisory published: 2026-05-26
Advisory updated: 2026-05-26

Who should care

WordPress site administrators using the bPlugins Tiktok Feed plugin, security teams managing WordPress installations, and developers maintaining WordPress plugin security postures

Technical summary

The bPlugins Tiktok Feed WordPress plugin versions 1.0.24 and earlier contain a Missing Authorization vulnerability (CWE-862). The vulnerability stems from incorrectly configured access control security levels, allowing authenticated users with low privileges to bypass intended authorization checks. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) indicates a network-exploitable issue requiring low privileges with no user interaction, resulting in limited integrity impact. No confidentiality or availability impacts are scored. The vulnerability does not appear in CISA's Known Exploited Vulnerabilities catalog.

Defensive priority

medium

Recommended defensive actions

Update the bPlugins Tiktok Feed WordPress plugin to a version newer than 1.0.24 if available
Review WordPress user roles and permissions to enforce principle of least privilege
Monitor WordPress audit logs for unauthorized access attempts to plugin functionality
Consider implementing additional access controls at the web application firewall level for WordPress administrative endpoints
Verify plugin source integrity and review for unauthorized modifications if running affected versions

Evidence notes

Vulnerability details sourced from NVD modified feed with Patchstack as primary reference. CVSS vector confirms network attack vector, low attack complexity, low privileges required, no user interaction, and limited integrity impact. CPE criteria not available in source data.

Official resources

CVE-2026-24520 CVE record
CVE.org
CVE-2026-24520 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected]

2026-05-26