Blog2Social: Social Media Auto Post & Scheduler < 8.7.5 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification | CVE 2026-1942 | Plugin Vulnerabilities

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft() function only verifies current_user_can('read') without checking whether the user has edit_post permission for the target post. Combined with the plugin granting UI access and nonce exposure to all roles, this makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the title and content of arbitrary posts and pages by supplying a target post ID via the 'b2s-draft-id' parameter.

Affects Plugins

Fixed in 8.7.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/930e7fd6-ae0b-465a-aa93-04ef80011d32

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucas Montes (NiRoX)

Verified

No

WPVDB ID

6e933973-a814-4b79-9f6e-aa48c3c2bbdc

Timeline

Publicly Published

2026-02-17 (about 2 months ago)

Added

2026-02-17 (about 2 months ago)

Last Updated

2026-02-18 (about 2 months ago)

Other

Published

Title

Published

2026-04-21

Title

Booking Package < 1.7.07 - Missing Authorization

Published

2025-03-04

Title

WP Online Contract <= 5.1.4 - Missing Authorization to Unauthenticated Settings Import

Published

2026-04-21

Title

Motors – Car Dealership & Classified Listings Plugin < 1.4.107 - Missing Authorization

Published

2024-10-13

Title

Happy Addons for Elementor < 3.12.4 - Missing Authorization

Published

2024-05-20

Title

Crafthemes Demo Import <= 3.3 - Missing Authorization to Arbitrary Plugin Installation