CVE-2026-1942

Name of the Vulnerable Software and Affected Versions Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress versions through 8.7.4

Description The Blog2Social plugin for WordPress is susceptible to unauthorized data modification. This is due to a missing capability check on the b2s curation draft AJAX action. The curationDraft() function only verifies current user can('read') instead of confirming if the user has edit post permission for the specific post. Because the plugin provides UI access and exposes nonces to all roles, authenticated attackers with Subscriber-level access or higher can overwrite the title and content of any post or page. This is achieved by providing a target post ID through the b2s-draft-id parameter.

Recommendations Update to a version beyond 8.7.4.