{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4331", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T13:53:00.541Z", "datePublished": "2026-03-26T03:37:27.541Z", "dateUpdated": "2026-03-26T03:37:27.541Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-26T03:37:27.541Z"}, "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "8.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site."}], "title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc46bc4-ecfb-438f-b951-7b957489cd96?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1290"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1290"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1281"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1281"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.3/includes/Ajax/Post.php#L1301"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Mariusz Maik"}], "timeline": [{"time": "2026-03-17T14:08:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T14:26:40.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site."}], "id": "CVE-2026-4331", "lastModified": "2026-03-26T05:16:40.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-03-26T05:16:40.477", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1281"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1290"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L37"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.3/includes/Ajax/Post.php#L1301"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1281"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1290"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L37"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc46bc4-ecfb-438f-b951-7b957489cd96?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Blog2Social: Social Media Auto Post & Scheduler", "source": "cna", "vendor": "pr-gateway"}, "product": "blog2social:_social_media_auto_post_&_scheduler", "vendor": "pr-gateway"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T05:23:13.870550+00:00", "value": {"mitigation_remediation": ["Upgrade Blog2Social to version 8.8.3 or newer, which removes the vulnerability. If upgrading is delayed, consider disabling the AJAX endpoint or restricting the plugin\u2019s access capability to administrators only. Verify that only administrators can edit or reset social meta tags. Ensure that any subscriber-level users are not granted the 'blog2social_access' capability."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized deletion of social media meta tags"}, "threat_synthesis": {"affected_systems": "The issue affects the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress in all releases up to and including 8.8.2. Users of any role who have basic read permissions can exploit the flaw because the plugin grants access to its admin pages on activation.", "description_and_impact": "The vulnerability lies in the resetSocialMetaTags() function, which only checks for a generic 'read' capability and a nonce. Because all WordPress roles receive the plugin\u2019s 'blog2social_access' capability, authorized subscribers can invoke the AJAX action that deletes every _b2s_post_meta record. The result is a loss of custom social media meta data for all posts, damaging the site\u2019s social sharing configuration and potentially breaking cross\u2011platform integrations. No code execution or data exfiltration is possible, but the integrity of post metadata is compromised.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the attack requires a logged\u2011in user with at least subscriber level rights. Because the vulnerability depends on a legitimate AJAX endpoint that accepts a valid nonce, the exploitation cost is low for authenticated users. No EPSS data or KEV listing is available, but the weakness (CWE\u2011862) is widely known and could be abused by attackers with common access privileges."}}}}, "created": "2026-03-26T11:30:40.080210+00:00", "updated": "2026-03-26T12:08:40.624649+00:00", "vendors": ["pr-gateway", "pr-gateway$PRODUCT$blog2social:_social_media_auto_post_&_scheduler", "wordpress", "wordpress$PRODUCT$wordpress"]}