Threat Entry Updated 2026-03-30

CVE-2026-4331 - Blog2Social: Social Media Auto Post & Scheduler Plugin

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…

PLUGIN Blog2Social: Social Media Auto Post & Scheduler

CVE-2026-4331

MEDIUM CVSS 4.3 2026-03-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1942 - Blog2Social: Social Media Auto Post & Scheduler Plugin

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft() function only verifies current_user_can('read') without checking whether the user has edit_post permission for the target post. Combined with the plugin granting UI access and nonce exposure to all roles, this makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the title and content of arbitrary posts and…

PLUGIN Blog2Social: Social Media Auto Post & Scheduler

CVE-2026-1942

MEDIUM CVSS 6.5 2026-02-18

Risk Score

Open Full Technical Breakdown