● Medium · CVSS 5.4

How to Fix CVE-2026-6446: CWE-522 Insufficiently Protected Credentials

Q: Is CVE-2026-6446 being exploited in the wild?

As of 2026-05-25, CVE-2026-6446 is not listed in the CISA Known Exploited Vulnerabilities catalog. Watch the catalog and patch on a normal cadence; KEV status can change as exploitation evidence emerges.

Q: What is the CVSS score for CVE-2026-6446?

The CVSS base score is 5.4 (Medium).

Q: What version fixes this?

The vendor advisory names the patched build. See the References section.

Q: Will a WAF or IDS rule alone close this?

No. Network filters cut down opportunistic scans but they do not remove the flaw. The vendor patch is the only durable fix.

By Sai Kiran Pandrala

Other vulnerabilities in the same area that are worth patching alongside this one:

How to Fix CVE-2026-39677: WordPress Emphires theme <= 3.9 - Local File Inclusion in Emphires — WordPress Emphires theme <= 3.9 - Local File Inclusion in Emphires
How to Fix CVE-2026-39535: WordPress Display Eventbrite Events plugin <= 6.5.6 - Broken Access Control — WordPress Display Eventbrite Events plugin <= 6.5.6 - Broken Access Control
How to Fix CVE-2026-1656: Critical Vulnerability in Business Directory Plugin – Easy Listing Directories for WordPress , Critical Vulnerability in Business Directory Plugin – Easy Listing Directories for WordPress
How to Fix CVE-2026-32336: WordPress Rara Business theme <= 1.3.0 - Broken Access Control , WordPress Rara Business theme <= 1.3.0 - Broken Access Control
How to Fix CVE-2026-5200: Missing Authorization in AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress , Missing Authorization in AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Last verified: 2026-05-25

CVE-2026-6446 is a cwe-522 insufficiently protected credentials in bplugins My Social Feeds – Social Feeds Embedder Plugin for WordPress. Fix it by upgrading to the patched build from the vendor advisory.

⚡ At a glance


Severity	CVSS 5.4 - Medium
Actively exploited?	Not currently in the CISA KEV catalog
Affected	My Social Feeds – Social Feeds Embedder Plugin for WordPress 0 up to (including) 1.0.4
Fixed in	See vendor advisory
Type (CWE)	CWE-522: CWE-522 Insufficiently Protected Credentials

What is CVE-2026-6446?

CVE-2026-6446 is a cwe-522 insufficiently protected credentials flaw in bplugins My Social Feeds – Social Feeds Embedder Plugin for WordPress. It carries a CVSS base score of 5.4 (medium). It is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

From the source record: The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the 'ttp_get_accounts' AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the 'ttp_tiktok_accounts' WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.

Why it matters in practice: The blast radius depends on how the affected service is exposed. An internet-facing instance with no compensating controls is the highest-risk configuration.

Am I affected?

You are affected if your installation of My Social Feeds – Social Feeds Embedder Plugin for WordPress matches a version listed in the Affected row above.


wp plugin list --status=active
wp core version

How to fix CVE-2026-6446

Apply the vendor patch. Target the build named in the Fixed in row above (See vendor advisory). The runnable command set below covers the most common deployment patterns for My Social Feeds – Social Feeds Embedder Plugin for WordPress.

CMS plugin/theme upgrade


# WordPress example with WP-CLI
wp plugin update --all
wp core update
wp plugin list --status=active

After applying the patch

Restart the service or device so the patched binary loads.
Confirm the running version matches the Fixed in row using the verification command below.
Rotate credentials and API keys that the affected service could access if the asset was exposed during the disclosure window.

If you can't patch immediately

Until the patch lands, narrow the attack surface with these runnable controls.

Restrict network exposure

Block public access to the affected service at the perimeter. Allow only trusted source IPs.


# Linux iptables: only allow trusted admin subnet
sudo iptables -A INPUT -p tcp --dport 443 -s 10.10.10.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP
sudo iptables-save | sudo tee /etc/iptables/rules.v4


# Windows firewall: only allow trusted admin subnet on management port
New-NetFirewallRule -DisplayName "Restrict-Mgmt-Allow" -Direction Inbound -Action Allow `
  -RemoteAddress 10.10.10.0/24 -Protocol TCP -LocalPort 443
New-NetFirewallRule -DisplayName "Restrict-Mgmt-Deny"  -Direction Inbound -Action Block `
  -Protocol TCP -LocalPort 443

Mitigations are temporary. Apply the vendor patch as soon as a maintenance window opens.

How to verify the fix worked

Confirm the patched build is the one actually running.


wp plugin list --status=active
wp core version

Expected: a version at or above the patched build named in the vendor advisory.

Also worth doing: pull recent log windows for indicators of compromise listed in the vendor advisory, and re-run an authenticated vulnerability scan with up-to-date signatures.

Frequently asked questions

Is CVE-2026-6446 being exploited in the wild?