Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash.
Published: 2025-11-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Post Trashing
Action: Upgrade Plugin
AI Analysis

Impact

The Blog2Social plugin for WordPress contains a missing capability check on the deleteUserCcDraftPost function. As a result, any authenticated user with Subscriber level or higher can invoke this AJAX action and change the status of any post to trash. This flaw permits unauthorized deletion or defacement of content without requiring elevated privileges. The weakness is classified as Missing Authorization (CWE-862).

Affected Systems

All installations of Blog2Social for WordPress up to and including version 8.7.0 are affected. Users running these versions should confirm their deployed plugin version and plan an upgrade accordingly.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, but the EPSS score of less than 1% suggests a very low current probability of exploitation. Attackers need only authentication with Subscriber-level access or higher to trigger the vulnerability. The lack of a required high-level privilege and the absence in the CISA KEV list reduce the immediate threat, yet the potential to erase or disrupt content makes it worth addressing promptly.

Generated by OpenCVE AI on April 22, 2026 at 00:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blog2Social to the latest version that includes the authorization fix.
  • If an immediate upgrade is not possible, restrict or disable the AJAX action deleteUserCcDraftPost for Subscriber and lower roles through a custom code snippet or a role‑management plugin.
  • Verify that the WordPress core and other plugins remain up to date and that all user roles are correctly assigned to prevent accidental privilege escalation.

Generated by OpenCVE AI on April 22, 2026 at 00:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
References

Wed, 26 Nov 2025 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Blog2social
Blog2social blog2social
Wordpress
Wordpress wordpress
Vendors & Products Blog2social
Blog2social blog2social
Wordpress
Wordpress wordpress

Tue, 25 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 25 Nov 2025 05:00:00 +0000

Type Values Removed Values Added
Description The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash.
Title Blog2Social <= 8.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Blog2social Blog2social
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:54.650Z

Reserved: 2025-11-22T15:46:48.214Z

Link: CVE-2025-13558

cve-icon Vulnrichment

Updated: 2025-11-25T17:06:21.557Z

cve-icon NVD

Status : Deferred

Published: 2025-11-25T05:16:09.863

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:30:04Z

Weaknesses