EUVD-2026-20125
GHSA-gx9c-69hc-cjmj
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.
Analysis
Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions up to 8.8.3 allow authenticated attackers with Subscriber-level access to modify, reschedule, or delete other users' scheduled social media posts through authorization bypass in AJAX handlers. The vulnerability stems from insufficient validation of user-controlled 'b2s_id' parameters before performing UPDATE and DELETE operations, enabling privilege escalation within multi-user WordPress environments. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today