What the vulnerability does
01Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.
Explanation of Vulnerability in Simple Terms
02Summary
Blog2Social contains an authorization flaw that allows authenticated users with low privileges to access sensitive information they should not be able to view. The vulnerability affects versions up to 8.7.2. An attacker with a standard user account can read data with limited confidentiality impact. No code execution or data modification is possible through this flaw.
What an attacker can do
03Attacker Capabilities
Read sensitive information accessible only to higher-privilege users.
Potential impact on your site
04Site Impact
User data or settings may be exposed to standard users who should not have access.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege authenticated account on the site.
Key dates
06Disclosure timeline
January 10, 2026
CVE published
April 8, 2026
Record updated
