PT-2026-40563 · WordPress · Blog2Social

Nicky Dev

·

Published

2026-05-13

·

Updated

2026-05-13

·

CVE-2026-7051

CVSS v3.1

5.4

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Name of the Vulnerable Software and Affected Versions Blog2Social: Social Media Auto Post & Scheduler versions prior to 8.9.1
Description The plugin is affected by missing authorization due to a lack of ownership verification in the deleteUserPublishPost() and deleteUserSchedPost() functions. These functions do not include a blog user id constraint in their database queries, which allows authenticated attackers to soft-delete any user's post records by providing arbitrary sequential wp b2s posts.id values through the postId parameter. This can lead to the deletion of other users' published and scheduled social media posts, disrupting content publishing workflows.
Recommendations Update to a version later than 8.9.0. As a temporary workaround, restrict access to the deleteUserPublishPost() and deleteUserSchedPost() functions to minimize the risk of exploitation.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7051

Affected Products

Blog2Social