CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
Missing Authorization vulnerability in rsocial Revive Old Posts tweet-old-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive Old Posts: from n/a through <= 9.3.3.
AnalysisAI
Broken access control in Revive Old Posts (tweet-old-post) WordPress plugin through version 9.3.3 allows authenticated attackers with low-level privileges to escalate permissions and execute high-impact operations including data exfiltration, modification, and service disruption. EPSS score of 0.05% (15th percentile) indicates low probability of mass exploitation, though the 8.8 CVSS score reflects significant potential damage once low-privilege access is obtained. No public exploit identified at time of analysis, and no CISA KEV listing exists.
Technical ContextAI
This vulnerability stems from CWE-862 (Missing Authorization), a class of security flaws where an application fails to properly verify whether a user has sufficient permissions before granting access to protected functionality or resources. The Revive Old Posts plugin, designed to automatically reshare WordPress content to social media platforms, appears to implement incorrectly configured access control security levels that fail to enforce role-based restrictions. The CVSS vector indicates network-accessible exploitation with low attack complexity, meaning the vulnerable functionality is exposed through standard web interfaces without requiring specialized conditions. The affected component is the WordPress plugin identified as tweet-old-post, maintained by rsocial, with vulnerability present in all versions up to and including 9.3.3.
Affected ProductsAI
The vulnerability affects the Revive Old Posts WordPress plugin (also known as tweet-old-post) maintained by rsocial, impacting all versions from the earliest release through version 9.3.3 inclusive. This plugin is distributed through the WordPress.org plugin repository and is used by website administrators to automatically share older blog posts to social media platforms including Twitter, Facebook, and LinkedIn. The vulnerability was reported by Patchstack's security audit team ([email protected]), and detailed information is available in the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability.
RemediationAI
WordPress administrators should immediately upgrade the Revive Old Posts plugin to version 9.3.4 or later if available, as the vulnerability disclosure through Patchstack typically coincides with vendor patch release. Visit the WordPress plugin repository or access the official plugin settings page to check for updates and apply them through the standard WordPress update mechanism. Until patching is completed, site administrators should review user role assignments and restrict new user registrations if untrusted accounts exist with subscriber or contributor privileges, as these low-privilege accounts could be leveraged for exploitation. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tweet-old-post/vulnerability/wordpress-revive-old-posts-plugin-9-3-3-broken-access-control-vulnerability for specific technical details and confirmation of fixed version numbers. Organizations unable to immediately patch should consider temporarily deactivating the plugin if social media automation functionality is non-critical to business operations.
Share
External POC / Exploit Code
Leaving vuln.today