CVE-2026-7051 (GCVE-0-2026-7051)
Vulnerability from cvelistv5 – Published: 2026-05-13 04:26 – Updated: 2026-05-13 10:21
VLAI
Title
Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter
Summary
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user's B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the 'postId' parameter. This makes it possible for authenticated attackers to delete other users' published and scheduled social media post records, disrupting content publishing workflows.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
14 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pr-gateway | Blog2Social: Social Media Auto Post & Scheduler |
Affected:
0 , ≤ 8.9.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:07:00.892672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:21:40.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blog2Social: Social Media Auto Post \u0026 Scheduler",
"vendor": "pr-gateway",
"versions": [
{
"lessThanOrEqual": "8.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nicky Dev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blog2Social: Social Media Auto Post \u0026 Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user\u0027s B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the \u0027postId\u0027 parameter. This makes it possible for authenticated attackers to delete other users\u0027 published and scheduled social media post records, disrupting content publishing workflows."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T04:26:41.505Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f0859e21-851a-4a6d-aa6c-9f759c5866d9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L84"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L84"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1947"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L1947"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2264"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L2264"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L84"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1947"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2264"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3523333%40blog2social\u0026new=3523333%40blog2social\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-25T18:53:27.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-12T15:27:25.000Z",
"value": "Disclosed"
}
],
"title": "Blog2Social: Social Media Auto Post \u0026 Scheduler \u003c= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via \u0027postId\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7051",
"datePublished": "2026-05-13T04:26:41.505Z",
"dateReserved": "2026-04-25T18:38:15.157Z",
"dateUpdated": "2026-05-13T10:21:40.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-7051",
"date": "2026-06-02",
"epss": "0.00056",
"percentile": "0.17851"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-7051\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-05-13T05:16:24.340\",\"lastModified\":\"2026-05-13T14:43:46.717\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Blog2Social: Social Media Auto Post \u0026 Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user\u0027s B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the \u0027postId\u0027 parameter. This makes it possible for authenticated attackers to delete other users\u0027 published and scheduled social media post records, disrupting content publishing workflows.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1947\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2264\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L24\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L84\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L1947\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L2264\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L24\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L84\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1947\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2264\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L24\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L84\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3523333%40blog2social\u0026new=3523333%40blog2social\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/f0859e21-851a-4a6d-aa6c-9f759c5866d9?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-7051\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T10:07:00.892672Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T10:18:41.550Z\"}}], \"cna\": {\"title\": \"Blog2Social: Social Media Auto Post \u0026 Scheduler \u003c= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via \u0027postId\u0027 Parameter\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Nicky Dev\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L\"}}], \"affected\": [{\"vendor\": \"pr-gateway\", \"product\": \"Blog2Social: Social Media Auto Post \u0026 Scheduler\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.9.0\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-04-25T18:53:27.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-05-12T15:27:25.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/f0859e21-851a-4a6d-aa6c-9f759c5866d9?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L84\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L84\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1947\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L1947\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L24\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L24\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2264\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L2264\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L84\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1947\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L24\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2264\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3523333%40blog2social\u0026new=3523333%40blog2social\u0026sfp_email=\u0026sfph_mail=\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Blog2Social: Social Media Auto Post \u0026 Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user\u0027s B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the \u0027postId\u0027 parameter. This makes it possible for authenticated attackers to delete other users\u0027 published and scheduled social media post records, disrupting content publishing workflows.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-05-13T04:26:41.505Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-7051\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T10:21:40.570Z\", \"dateReserved\": \"2026-04-25T18:38:15.157Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-05-13T04:26:41.505Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…