CVE-2026-7051 - Vulnerability Details

- Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user's B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the 'postId' parameter. This makes it possible for authenticated attackers to delete other users' published and scheduled social media post records, disrupting content publishing workflows.

Published: 2026-05-13

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Blog2Social WordPress plugin contains a missing ownership verification in its delete functions. When an authenticated user supplies a post identifier, the plugin does not verify that the post belongs to that user, enabling the attacker to soft‑delete any user’s social media post record. The impact is the loss of scheduled or published content from other users, potentially disrupting collaborative publishing workflows. This flaw is a classic example of missing authorization (CWE-862).

Affected Systems

WordPress sites that have installed Blog2Social Social Media Auto Post & Scheduler up to and including version 8.9.0 are affected. All users with authenticated access through the plugin can exploit the weakness, regardless of the site’s size or number of users.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs valid login credentials to invoke the delete endpoint or API call; no additional privileges or advanced techniques are required. The risk is confined to authenticated users, but any such user could delete posts belonging to other users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pr-gateway

Blog2Social: Social Media Auto Post & Scheduler

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.9.0

No data.

Vendor Product Confidence Versions

Pr-gateway

Blog2social: Social Media Auto Post & Scheduler

100%

Version	Status	Scheme	Platform
`[0,8.9.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Blog2Social to a version that includes the missing authorization fix.
Limit delete permissions to administrators only by configuring role‑based access controls or disabling deletion functionality for non‑admin roles if the plugin allows it.
Implement logging and monitoring of delete actions so that unauthorized deletions can be detected and investigated.

Generated by OpenCVE AI on May 13, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1947
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2264
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L24
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L84
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L1947
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L2264
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L24
https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L84
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1947
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2264
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L24
https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L84
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3523333%40blog2social&new=3523333%40blog2social&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0859e21-851a-4a6d-aa6c-9f759c5866d9?source=cve

History

Wed, 13 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 May 2026 06:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pr-gateway Pr-gateway blog2social: Social Media Auto Post & Scheduler Wordpress Wordpress wordpress
Vendors & Products		Pr-gateway Pr-gateway blog2social: Social Media Auto Post & Scheduler Wordpress Wordpress wordpress

Wed, 13 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user's B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the 'postId' parameter. This makes it possible for authenticated attackers to delete other users' published and scheduled social media post records, disrupting content publishing workflows.
Title		Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1947 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2264 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L24 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L84 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L1947 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L2264 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L24 https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L84 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1947 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2264 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L24 https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L84 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3523333%40blog2social&new=3523333%40blog2social&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/f0859e21-851a-4a6d-aa6c-9f759c5866d9?source=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Pr-gateway Blog2social: Social Media Auto Post & Scheduler

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-13T04:26:41.505Z

Updated: 2026-05-13T10:21:40.570Z

Reserved: 2026-04-25T18:38:15.157Z

Link: CVE-2026-7051

Vulnrichment

Updated: 2026-05-13T10:18:41.550Z

NVD

Status : Deferred

Published: 2026-05-13T05:16:24.340

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-7051

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T07:00:12Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object