Blog2Social: Social Media Auto Post & Scheduler < 8.7.3 – Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure | CVE 2025-14943 | Plugin Vulnerabilities

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.

Affects Plugins

Fixed in 8.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7374db91-4e7d-4db2-9c58-bb9bdda5c85d

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

theviper17y

Verified

No

WPVDB ID

0e203004-59bb-40df-b092-ceccc3b9eeb0

Timeline

Publicly Published

2026-01-09 (about 4 months ago)

Added

2026-01-09 (about 4 months ago)

Last Updated

2026-01-10 (about 4 months ago)

Other

Published

Title

Published

2021-12-28

Title

Shortcode Addons < 3.2.0 - Authenticated Arbitrary Options Update

Published

2022-03-10

Title

WooCommerce < 6.3.1 - Orders Marked as Paid (via PayPal Standard Gateway)

Published

2025-11-07

Title

Flexible Refund and Return Order for WooCommerce < 1.0.43 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update

Published

2025-10-31

Title

Folderly < 0.3.1 - Incorrect Authorization to Authenticated (Author+) Term Deletion

Published

2022-09-22

Title

Customer Reviews for WooCommerce < 5.3.6 - Broken Access Control