CVE-2025-12563 - Vulnerability Details

- Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory.

Published: 2025-11-06

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Blog2Social plugin, a WordPress extension for auto‑posting to social media, contains a flaw where the uploadVideo() function checks the user capability incorrectly. Consequently, any authenticated user with Subscriber or higher role can upload MP4 files to the wp‑content/uploads folder, potentially leading to unauthorized content placement on the site. This allows attackers to alter site media storage, hide malicious content, or exploit other weaknesses relying on the presence of uploaded files. The weakness is a classic example of incorrect authorization and is classified as CWE‑862.

Affected Systems

All WordPress installations running Blog2Social version 8.6.0 or earlier are impacted. This includes any site that has installed the plugin without updating to a newer release that removes the capability check. Site administrators should verify the currently installed plugin version and ensure it is at 8.6.1 or higher.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity. With an EPSS score of less than 1%, the likelihood of exploitation is extremely low at present. The vulnerability is not listed in the CISA KEV catalog, reducing its prominence. The attack vector requires authenticated access; therefore, users with Subscriber privileges can abuse the flaw. In practice, exploitation would involve uploading an MP4 file to the uploads directory, which may then be accessed publicly or used in further attacks if the site's security posture is otherwise weak.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pr-gateway

Blog2Social: Social Media Auto Post & Scheduler

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.6.0

No data.

Vendor	Product	Confidence	Versions
Blog2social	Blog2social	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Blog2Social to the latest version (8.6.1 or newer) where the capability check has been fixed
If an update is not immediately possible, restrict the file types allowed for media uploads in WordPress settings to exclude .mp4 files or set stricter capability checks for the Video Upload feature
Consider disabling the video upload feature entirely for Subscriber and lower roles via a role‑management plugin or code snippet

Generated by OpenCVE AI on April 22, 2026 at 00:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00023.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset/3389636/blog2social
https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f139-0f17-426c-b48c-4c42ae4bab5f?source=cve

History

Thu, 06 Nov 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 06 Nov 2025 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Blog2social Blog2social blog2social Wordpress Wordpress wordpress
Vendors & Products		Blog2social Blog2social blog2social Wordpress Wordpress wordpress

Thu, 06 Nov 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory.
Title		Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/changeset/3389636/blog2social https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f139-0f17-426c-b48c-4c42ae4bab5f?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Blog2social Blog2social

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-06T04:36:21.892Z

Updated: 2026-04-08T16:46:16.390Z

Reserved: 2025-10-31T19:07:24.936Z

Link: CVE-2025-12563

Vulnrichment

Updated: 2025-11-06T14:08:50.311Z

NVD

Status : Deferred

Published: 2025-11-06T05:16:05.130

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12563

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object