๐Ÿ” CVE Alert

CVE-2026-7051

MEDIUM 5.4

Blog2Social: Social Media Auto Post & Scheduler <= 8.9.0 - Missing Authorization to Authenticated (Subscriber+) Delete Arbitrary B2S Post Records via 'postId' Parameter

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user's B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the 'postId' parameter. This makes it possible for authenticated attackers to delete other users' published and scheduled social media post records, disrupting content publishing workflows.

CWE CWE-862
Vendor pr-gateway
Product blog2social: social media auto post & scheduler
Published May 13, 2026
Last Updated May 13, 2026
Stay Ahead of the Next One

Get instant alerts for pr-gateway blog2social: social media auto post & scheduler

Be the first to know when new medium vulnerabilities affecting pr-gateway blog2social: social media auto post & scheduler are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

pr-gateway / Blog2Social: Social Media Auto Post & Scheduler
0 โ‰ค 8.9.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/f0859e21-851a-4a6d-aa6c-9f759c5866d9?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L84 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L84 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1947 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L1947 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L24 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/B2S/Post/Tools.php#L24 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2264 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.9.0/includes/Ajax/Post.php#L2264 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L84 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1947 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L24 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2264 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3523333%40blog2social&new=3523333%40blog2social&sfp_email=&sfph_mail=

Credits

Nicky Dev