Blog2Social < 8.7.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing | CVE 2025-13558 | Plugin Vulnerabilities

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash.

Affects Plugins

Fixed in 8.7.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/61b590f5-7854-42f7-b5e2-e6feaaf03a73

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

3b8de1e3-75ce-491e-9d4a-bff4416afcbe

Timeline

Publicly Published

2025-11-24 (about 5 months ago)

Added

2025-11-24 (about 5 months ago)

Last Updated

2026-01-16 (about 3 months ago)

Other

Published

Title

Published

2025-03-25

Title

Active Products Tables for WooCommerce < 1.0.6.8 - Unauthenticated Arbitrary Filter Call

Published

2024-11-22

Title

Product Table for WooCommerce by CodeAstrology (wooproducttable.com) < 3.5.2 - Information Exposure

Published

2024-02-26

Title

Categorify < 1.0.7.5 - Missing Authorization in categorifyAjaxAddCategory

Published

2025-08-22

Title

WC Plus <= 1.2.0 - Missing Authorization to Unauthenticated Settings Manipulation

Published

2026-03-20

Title

Bit SMTP – Easy SMTP Solution with Email Logs < 1.2.3 - Missing Authorization