Home

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user's B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the 'postId' parameter. This makes it possible for authenticated attackers to delete other users' published and scheduled social media post records, disrupting content publishing workflows.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-13 | Updated 2026-05-13 | Assigner Wordfence




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-04-25:Vendor Notified
2026-05-12:Disclosed

Credits

Nicky Dev finder

References

www.wordfence.com/...-851a-4a6d-aa6c-9f759c5866d9?source=cve

plugins.trac.wordpress.org/...nk/includes/B2S/Post/Tools.php

plugins.trac.wordpress.org/....0/includes/B2S/Post/Tools.php

plugins.trac.wordpress.org/...l/trunk/includes/Ajax/Post.php

plugins.trac.wordpress.org/...s/8.9.0/includes/Ajax/Post.php

plugins.trac.wordpress.org/...nk/includes/B2S/Post/Tools.php

plugins.trac.wordpress.org/....0/includes/B2S/Post/Tools.php

plugins.trac.wordpress.org/...l/trunk/includes/Ajax/Post.php

plugins.trac.wordpress.org/...s/8.9.0/includes/Ajax/Post.php

plugins.trac.wordpress.org/....2/includes/B2S/Post/Tools.php

plugins.trac.wordpress.org/...s/8.8.2/includes/Ajax/Post.php

plugins.trac.wordpress.org/....2/includes/B2S/Post/Tools.php

plugins.trac.wordpress.org/...s/8.8.2/includes/Ajax/Post.php

plugins.trac.wordpress.org/...g2social&sfp_email=&sfph_mail=

cve.org (CVE-2026-7051)

nvd.nist.gov (CVE-2026-7051)

Download JSON