Nicky Dev

**Name of the Vulnerable Software and Affected Versions** Blog2Social: Social Media Auto Post & Scheduler versions prior to 8.9.1 **Description** The plugin is affected by missing authorization due to a lack of ownership verification in the `deleteUserPublishPost()` and `deleteUserSchedPost()` functions. These functions do not include a `blog user id` constraint in their database queries, which allows authenticated attackers to soft-delete any user's post records by providing arbitrary sequential `wp b2s posts.id` values through the `postId` parameter. This can lead to the deletion of other users' published and scheduled social media posts, disrupting content publishing workflows. **Recommendations** Update to a version later than 8.9.0. As a temporary workaround, restrict access to the `deleteUserPublishPost()` and `deleteUserSchedPost()` functions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Amelia versions prior to 2.1.3 **Description** A logical short-circuit flaw in the authorization logic allows token validation to be skipped when a booking has a 'waiting' status. This enables unauthenticated attackers to approve any booking in 'waiting' status by sending a crafted request to the 'admin-ajax' endpoint. **Recommendations** Update to a version later than 2.1.2.