WordPress Plugin Vulnerabilities

Blog2Social < 6.9.12 - Subscriber+ Settings Update

Description

The plugin does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them

Affects Plugins

Plugin icon
blog2social
Fixed in 6.9.12

References

CVE
CVE-2022-3622
URL
https://www.wordfence.com/blog/2022/11/missing-authorization-vulnerability-in-blog2social-plugin/

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Marco Wotschka
Verified
No
WPVDB ID
b7b476f5-6463-47ba-9584-18eed3d7dbb5

Timeline

Publicly Published
2022-11-08 (about 3 years ago)
Added
2022-11-08 (about 3 years ago)
Last Updated
2022-11-08 (about 3 years ago)

Other

Published
Title
Published
2025-11-29
Title
Compress for MainWP <= 6.50.17 - Missing Authorization
Published
2026-03-20
Title
WP-Chatbot for Messenger <= 4.9 - Missing Authorization to Unauthenticated Chatbot Configuration Takeover
Published
2026-04-23
Title
WP Books Gallery < 4.8.1 - Missing Authorization to Unauthenticated Settings Update via 'permalink_structure' Parameter
Published
2025-11-21
Title
GoDAM < 1.4.7 - Missing Authorization
Published
2022-08-16
Title
Calendar Event Multi View < 1.4.07 - Unauthenticated Arbitrary Event Creation to Stored XSS