Description
The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete LinkedIn post data stored in the site's options table.
Published: 2026-03-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of LinkedIn post data
Action: Patch
AI Analysis

Impact

The Company Posts for LinkedIn plugin for WordPress contains a missing capability check on the function that resets LinkedIn post data. As a result, any authenticated user with Subscriber or higher access can trigger the reset action and remove all LinkedIn post information stored in the site's options table. This weakness falls under Missing Authorization, allowing an attacker to delete stored data that may be important for the site's LinkedIn integration.

Affected Systems

All installations of the Company Posts for LinkedIn plugin by brainstation23 running version 1.0.0 or earlier are affected. Users who have engaged the plugin on their WordPress sites and configured LinkedIn posting are at risk. No specific WordPress core version is implicated; the issue resides entirely within the plugin.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate risk. Because the vulnerability requires an authenticated user, an attacker must already have legitimate access to the WordPress administrative interface with at least Subscriber level privileges. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation data. Nonetheless, the ability to delete stored LinkedIn post data can disrupt automated posting and impact a site’s LinkedIn presence; therefore organizations should treat this as a patchable concern.

Generated by OpenCVE AI on March 21, 2026 at 06:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest approved update of the Company Posts for LinkedIn plugin that addresses the missing authorization check.
  • Create a comprehensive backup of the WordPress database and site files before making changes.
  • If an update is not available, deactivate or uninstall the plugin to eliminate the reset functionality.
  • Limit subscriber and other non-admin roles from accessing the WordPress admin area or specifically revoke the capability that triggers post resets.
  • Continuously monitor site logs for unauthorized usage of the reset action and verify that future plugin updates include appropriate capability checks.

Generated by OpenCVE AI on March 21, 2026 at 06:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Brainstation23
Brainstation23 company Posts For Linkedin
Wordpress
Wordpress wordpress
Vendors & Products Brainstation23
Brainstation23 company Posts For Linkedin
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete LinkedIn post data stored in the site's options table.
Title Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Brainstation23 Company Posts For Linkedin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:16.423Z

Reserved: 2026-02-04T21:13:47.975Z

Link: CVE-2026-1935

cve-icon Vulnrichment

Updated: 2026-03-23T17:58:46.587Z

cve-icon NVD

Status : Deferred

Published: 2026-03-21T04:16:56.800

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-1935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:42:14Z

Weaknesses