Blog2Social Plugin for WordPress Allows Attackers to Modify Other Users' Posts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Blog2Social Plugin for WordPress Allows Attackers to Modify Other Users' Posts

CVE-2026-4330

Summary

The Blog2Social plugin for WordPress has a security flaw that lets attackers with a certain level of account access modify or delete scheduled social media posts that belong to other users. This means that if an attacker has a Subscriber-level account or higher, they can make changes to posts that they shouldn't be able to. To protect your site, update the Blog2Social plugin to the latest version, which fixes this issue.

Original title

Original description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.

nvd CVSS3.1 4.3

Vulnerability type

CWE-639 Authorization Bypass Through User-Controlled Key

Published: 8 Apr 2026 · Updated: 9 Apr 2026 · First seen: 8 Apr 2026