What the vulnerability does
01Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory.
Explanation of Vulnerability in Simple Terms
02Summary
Blog2Social versions up to 8.6.0 lack proper authorization checks, allowing authenticated users to modify content they should not have access to. An attacker with a low-privilege account can alter data through the plugin's functions. The vulnerability affects the plugin's core functionality and requires a valid user account to exploit.
What an attacker can do
03Attacker Capabilities
Modify or alter data in the plugin that the attacker should not have permission to change.
Potential impact on your site
04Site Impact
Authenticated users with limited permissions can tamper with Blog2Social settings or content.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the site.
Key dates
06Disclosure timeline
November 6, 2025
CVE published
April 8, 2026
Record updated