What the vulnerability does
01Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft() function only verifies current_user_can('read') without checking whether the user has edit_post permission for the target post. Combined with the plugin granting UI access and nonce exposure to all roles, this makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the title and content of arbitrary posts and pages by supplying a target post ID via the 'b2s-draft-id' parameter.
Explanation of Vulnerability in Simple Terms
02Summary
Blog2Social versions up to 8.7.4 lack proper authorization checks, allowing authenticated users to modify content they should not have access to. An attacker with a low-privilege account can alter posts, schedules, or social media settings belonging to other users or the site. This affects the integrity of published content and scheduled posts across connected social platforms.
What an attacker can do
03Attacker Capabilities
Modify or delete posts and social media schedules belonging to other users.
Potential impact on your site
04Site Impact
Unauthorized changes to published posts, scheduled content, and social media configurations across all connected platforms.
Conditions required to exploit
05Prerequisites
Attacker must have a valid user account with at least low-level privileges on the site.
Key dates
06Disclosure timeline
February 18, 2026
CVE published
April 8, 2026
Record updated
