What the vulnerability does
01Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.
Explanation of Vulnerability in Simple Terms
02Summary
Blog2Social versions up to 8.8.2 lack proper authorization checks, allowing authenticated users to modify content they should not have access to. An attacker with a low-privilege account can alter data through the plugin's API or interface without additional restrictions. The vulnerability affects the plugin's core functionality and requires a valid user account to exploit.
What an attacker can do
03Attacker Capabilities
Modify or alter content and settings they should not have permission to access.
Potential impact on your site
04Site Impact
Malicious or compromised user accounts can tamper with blog posts, schedules, or social media settings.
Conditions required to exploit
05Prerequisites
Attacker must have a valid low-privilege user account on the site.
Key dates
06Disclosure timeline
March 26, 2026
CVE published
April 8, 2026
Record updated
