CVE-2026-4330 - Vulnerability Details

- Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.

Published: 2026-04-08

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Blog2Social plugin, a WordPress add‑on used for scheduling social media content, contains an authorization bypass that allows any authenticated user with Subscriber level or higher to change the schedule of posts belonging to other users. During the AJAX request, the plugin does not verify that the provided 'b2s_id' value belongs to the current user before performing the UPDATE or DELETE operation. This creates a classic Insecure Direct Object Reference flaw (CWE‑639) that can lead to unwanted reposting, rescheduling or deletion of posts, thereby compromising the organization’s social media integrity.

Affected Systems

Affected systems include any WordPress installation running Blog2Social plugin version 8.8.3 or earlier. The vulnerability is present in all releases up to and including 8.8.3, regardless of the operating environment. There are no additional external dependencies listed beyond the plugin itself.

Risk and Exploitability

The vulnerability carries a CVSS score of 4.3, indicating moderate severity. Because an attacker must first authenticate with a WordPress account that has at least Subscriber role, the exploitation window is limited to sites with widespread or easily compromised credentials. The EPSS score is not available, and the flaw is not currently catalogued in CISA’s KEV list. The likely attack path requires a valid login, selection of a target post, and submission of the 'b2s_id' parameter with an ID that does not belong to the logged‑in user.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pr-gateway

Blog2Social: Social Media Auto Post & Scheduler

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.8.3

No data.

Vendor Product Confidence Versions

Pr-gateway

Blog2social: Social Media Auto Post & Scheduler

100%

Version	Status	Scheme	Platform
`[0,8.8.3]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Blog2Social plugin to the latest version that contains the fix (any release above 8.8.3).
If an update is not immediately available, consider temporarily disabling scheduled post features or revoking Subscriber privileges until a fix can be applied.
Verify that the plugin’s source files match the author’s checksum or file hashes to detect tampering.

Generated by OpenCVE AI on April 8, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2178
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2183
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2273
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2322
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L32
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Ship/Save.php#L190
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2178
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2183
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2273
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2322
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L32
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Ship/Save.php#L190
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202
https://plugins.trac.wordpress.org/changeset/3494550/
https://www.wordfence.com/threat-intel/vulnerabilities/id/f3eec9c6-fef9-4d6e-8328-51efb997c99c?source=cve

History

Wed, 08 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pr-gateway Pr-gateway blog2social: Social Media Auto Post & Scheduler Wordpress Wordpress wordpress
Vendors & Products		Pr-gateway Pr-gateway blog2social: Social Media Auto Post & Scheduler Wordpress Wordpress wordpress

Wed, 08 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 08:15:00 +0000

Type	Values Removed	Values Added
Description		The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.
Title		Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2178 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2183 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2273 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2322 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L32 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Ship/Save.php#L190 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2178 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2183 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2273 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2322 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L32 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Ship/Save.php#L190 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202 https://plugins.trac.wordpress.org/changeset/3494550/ https://www.wordfence.com/threat-intel/vulnerabilities/id/f3eec9c6-fef9-4d6e-8328-51efb997c99c?source=cve
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Pr-gateway Blog2social: Social Media Auto Post & Scheduler

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-08T07:43:03.247Z

Updated: 2026-04-08T17:32:59.960Z

Reserved: 2026-03-17T13:51:34.020Z

Link: CVE-2026-4330

Vulnrichment

Updated: 2026-04-08T14:18:30.610Z

NVD

Status : Deferred

Published: 2026-04-08T08:16:23.733

Modified: 2026-04-24T18:15:28.940

Link: CVE-2026-4330

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:43:27Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object