Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of social media meta tags
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the resetSocialMetaTags() function, which only checks for a generic 'read' capability and a nonce. Because all WordPress roles receive the plugin’s 'blog2social_access' capability, authorized subscribers can invoke the AJAX action that deletes every _b2s_post_meta record. The result is a loss of custom social media meta data for all posts, damaging the site’s social sharing configuration and potentially breaking cross‑platform integrations. No code execution or data exfiltration is possible, but the integrity of post metadata is compromised.

Affected Systems

The issue affects the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress in all releases up to and including 8.8.2. Users of any role who have basic read permissions can exploit the flaw because the plugin grants access to its admin pages on activation.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the attack requires a logged‑in user with at least subscriber level rights. Because the vulnerability depends on a legitimate AJAX endpoint that accepts a valid nonce, the exploitation cost is low for authenticated users. No EPSS data or KEV listing is available, but the weakness (CWE‑862) is widely known and could be abused by attackers with common access privileges.

Generated by OpenCVE AI on March 26, 2026 at 05:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Blog2Social to version 8.8.3 or newer, which removes the vulnerability. If upgrading is delayed, consider disabling the AJAX endpoint or restricting the plugin’s access capability to administrators only. Verify that only administrators can edit or reset social meta tags. Ensure that any subscriber-level users are not granted the 'blog2social_access' capability.

Generated by OpenCVE AI on March 26, 2026 at 05:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pr-gateway
Pr-gateway blog2social: Social Media Auto Post & Scheduler
Wordpress
Wordpress wordpress
Vendors & Products Pr-gateway
Pr-gateway blog2social: Social Media Auto Post & Scheduler
Wordpress
Wordpress wordpress

Thu, 26 Mar 2026 04:30:00 +0000

Type Values Removed Values Added
Description The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.
Title Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Pr-gateway Blog2social: Social Media Auto Post & Scheduler
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:57.800Z

Reserved: 2026-03-17T13:53:00.541Z

Link: CVE-2026-4331

cve-icon Vulnrichment

Updated: 2026-03-26T13:59:01.043Z

cve-icon NVD

Status : Deferred

Published: 2026-03-26T05:16:40.477

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:08:40Z

Weaknesses