WordPress Plugin Vulnerabilities
Blog2Social: Social Media Auto Post & Scheduler < 8.8.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter
Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.
Affects Plugins
Fixed in 8.8.4 References
Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
s00me00ne
Verified
No
WPVDB ID
Timeline
Publicly Published
2026-04-07 (about 1 month ago)
Added
2026-04-07 (about 1 month ago)
Last Updated
2026-04-08 (about 1 month ago)
WPScan 