Blog2Social: Social Media Auto Post & Scheduler < 8.6.1 – Incorrect Authorization to Video File Upload | CVE 2025-12563 | Plugin Vulnerabilities

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory.

Affects Plugins

Fixed in 8.6.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f139-0f17-426c-b48c-4c42ae4bab5f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

thinnawarth mathuros

Verified

No

WPVDB ID

d9797de5-1ff6-419f-b122-eda6951575fe

Timeline

Publicly Published

2025-11-05 (about 6 months ago)

Added

2025-11-05 (about 6 months ago)

Last Updated

2025-11-06 (about 6 months ago)

Other

Published

Title

Published

2023-11-24

Title

Booster for WooCommerce < 7.1.3 - Missing Authorization to Product Creation/Modification

Published

2025-06-05

Title

BM Content Builder < 3.16.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save

Published

2024-12-22

Title

Client Invoicing by Sprout Invoices – Easy Estimates and Invoices < 20.8.2 - Missing Authorization

Published

2026-01-16

Title

onepay Payment Gateway For WooCommerce < 1.1.3 - Missing Authorization to Unauthenticated Order Status Modification

Published

2023-12-25

Title

Estatik Real Estate Plugin < 4.1.1 - Subscriber+ Arbitrary Option Update