Skip to main content

WordPress CVE-2026-4330

| EUVDEUVD-2026-20125 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-08 Wordfence GHSA-gx9c-69hc-cjmj
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 08:10 euvd
EUVD-2026-20125
Analysis Generated
Apr 08, 2026 - 08:10 vuln.today
CVE Published
Apr 08, 2026 - 07:43 nvd
MEDIUM 4.3

DescriptionCVE.org

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.

AnalysisAI

Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.8.3 allow authenticated attackers with Subscriber-level access to modify, reschedule, or delete other users' scheduled social media posts through authorization bypass in AJAX handlers. The vulnerability stems from insufficient validation of user-controlled 'b2s_id' parameters before performing UPDATE and DELETE operations, enabling privilege escalation within multi-user WordPress environments. No public exploit code or active exploitation has been reported, but the low CVSS complexity and minimal authentication barrier (Subscriber role) make this a practical attack vector in shared hosting scenarios.

Technical ContextAI

Blog2Social is a WordPress plugin that manages scheduled social media post distribution across multiple platforms. The vulnerability exists in AJAX handlers within the plugin's Post.php and related files (B2S/Post/Tools.php, B2S/Ship/Save.php, Loader.php) that process 'b2s_id' parameters identifying scheduled posts. The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), which occurs when the application accepts user-supplied identifiers to access resources without verifying ownership or permissions. The AJAX endpoints fail to implement ownership checks before executing UPDATE (reschedule/modify) and DELETE operations on the 'b2s_id' parameter, allowing any authenticated subscriber to operate on posts belonging to other users. The flaw affects all versions through 8.8.3 of the plugin (CPE: cpe:2.3:a:pr-gateway:blog2social), with source code exposure visible in the WordPress plugin repository's browser links.

RemediationAI

Update Blog2Social: Social Media Auto Post & Scheduler to version 8.8.4 or later, which addresses the authorization bypass by implementing proper ownership validation on 'b2s_id' parameters in AJAX handlers. Users should navigate to WordPress Plugins > Installed Plugins, locate Blog2Social, and click Update if available; automatic updates can be enabled for future releases. Until patching is possible, site administrators can mitigate by restricting Subscriber-level user accounts via the WordPress user role editor plugin or by temporarily disabling Blog2Social if it is not actively in use. Refer to the Wordfence vulnerability advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/f3eec9c6-fef9-4d6e-8328-51efb997c99c?source=cve) for additional technical details and verification of patch availability.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4330 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy