WP-Safety
CVE-2026-1942

Blog2Social: Social Media Auto Post & Scheduler <= 8.7.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification

mediumMissing Authorization
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
8.7.5
Patched in
1d
Time to patch

Description

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft() function only verifies current_user_can('read') without checking whether the user has edit_post permission for the target post. Combined with the plugin granting UI access and nonce exposure to all roles, this makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the title and content of arbitrary posts and pages by supplying a target post ID via the 'b2s-draft-id' parameter.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=8.7.4
PublishedFebruary 17, 2026
Last updatedFebruary 18, 2026
Affected pluginblog2social

Source Code

WordPress.org SVN
Vulnerable v8.7.4
Browse source Download .zip
Patched v8.7.5
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1942 (Blog2Social) ## 1. Vulnerability Summary The **Blog2Social** plugin (up to version 8.7.4) contains a missing authorization vulnerability in its AJAX handler for saving curated drafts. The function `curationDraft()`, mapped to the `wp_ajax_b2s_curation_dr…

Show full research plan

Exploitation Research Plan: CVE-2026-1942 (Blog2Social)

1. Vulnerability Summary

The Blog2Social plugin (up to version 8.7.4) contains a missing authorization vulnerability in its AJAX handler for saving curated drafts. The function curationDraft(), mapped to the wp_ajax_b2s_curation_draft action, performs a weak capability check (current_user_can('read')) which is satisfied by any logged-in user, including Subscribers.

Critically, the function does not verify if the user has the edit_post capability for the specific post ID provided in the b2s-draft-id parameter. This allows an authenticated attacker to overwrite the post_title and post_content of any arbitrary post or page on the WordPress site.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: b2s_curation_draft
  • HTTP Method: POST
  • Authentication: Required (Subscriber level or higher)
  • Parameters:
    • action: b2s_curation_draft
    • _wpnonce: (Required) A valid nonce for the curation action.
    • b2s-draft-id: The ID of the target post/page to overwrite.
    • b2s-draft-title (inferred): The new title for the post.
    • b2s-draft-content (inferred): The new content for the post.
  • Preconditions: The attacker must be logged in as at least a Subscriber.

3. Code Flow (Inferred from Patch Description)

  1. Entry Point: The AJAX action wp_ajax_b2s_curation_draft triggers the curationDraft() method in the plugin's controller.
  2. Nonce Verification: The function calls check_ajax_referer() or wp_verify_nonce() using a nonce that is exposed to all authenticated users via localized scripts.
  3. Authorization Check: The code performs if (!current_user_can('read')) wp_die();. Since Subscribers have the read capability, they pass this check.
  4. Processing: The code retrieves the post ID from $_POST['b2s-draft-id'].
  5. Vulnerable Sink: The plugin calls wp_update_post() or a similar database wrapper, passing the ID from the request and the new title/content without verifying current_user_can('edit_post', $post_id).

4. Nonce Acquisition Strategy

The plugin exposes nonces to the UI for its scheduling and curation features. These nonces are often localized for use in the WordPress dashboard.

  1. Identify the Script: Look for wp_localize_script calls in the plugin source (likely in an admin initialization hook).
  2. Accessing the Nonce:
    • Log in as a Subscriber.
    • Navigate to the WordPress Dashboard (/wp-admin/index.php).
    • Use browser_eval to search for the nonce in the global window object.
    • Target Variable (inferred): window.blog2social_vars?.nonce or window.b2s_data?.curation_nonce.
    • If the scripts aren't loaded on the main dashboard, check if they load on the "Social Media Post & Scheduler" menu item if visible to Subscribers.

5. Exploitation Strategy

Step 1: Authentication

Login as a Subscriber and capture the session cookies.

Step 2: Nonce Extraction

Navigate to the dashboard and execute:

// Example JS to run via browser_eval
window.b2s_vars?.nonce || window.blog2social_vars?.nonce

Step 3: Payload Delivery

Send a POST request to admin-ajax.php to overwrite an administrator's post.

Request Template:

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
action=b2s_curation_draft&_wpnonce=[EXTRACTED_NONCE]&b2s-draft-id=[TARGET_POST_ID]&b2s-draft-title=Hacked+by+Researcher&b2s-draft-content=This+content+has+been+overwritten.

6. Test Data Setup

  1. Target Post: Create a "Private" or "Published" post as an Administrator. Note its ID (e.g., 123).
  2. Attacker User: Create a user with the Subscriber role.
  3. Plugin State: Ensure Blog2Social <= 8.7.4 is active.

7. Expected Results

  • Response: The server should return a success status (likely 200 OK with a JSON success message or 1).
  • Impact: The post with ID [TARGET_POST_ID] should now have the title "Hacked by Researcher" and the new content.

8. Verification Steps

  1. WP-CLI: Check the post content after the exploit:
    wp post get [TARGET_POST_ID] --field=post_content
wp post get [TARGET_POST_ID] --field=post_title
  2. Browser: View the post (if public) or check the "Posts" list in the admin panel to confirm the change.

9. Alternative Approaches

If b2s-draft-title or b2s-draft-content are not the exact parameter names:

  • Audit the curationDraft function logic for the keys used in the $_POST array.
  • Look for common curation keys like b2s_title, b2s_text, or draft_content.
  • If the nonce is not found on the dashboard, check for any Blog2Social-specific pages accessible to low-level users or check if the plugin enqueues scripts on the frontend for users with the read capability.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Blog2Social plugin for WordPress is vulnerable to unauthorized post modification due to an insufficient authorization check in the b2s_curation_draft AJAX action. Authenticated attackers with Subscriber-level access can exploit this to overwrite the title and content of any arbitrary post or page by providing a target post ID.

Vulnerable Code

// blog2social/includes/Ajax/Curation.php (approximated location based on function name)

public function curationDraft()
{
    // Missing check_ajax_referer for robust security
    
    // Weak capability check only verifies if user can 'read'
    if (!current_user_can('read')) {
        wp_die();
    }

    $post_id = isset($_POST['b2s-draft-id']) ? intval($_POST['b2s-draft-id']) : 0;
    $title = isset($_POST['b2s-draft-title']) ? sanitize_text_field($_POST['b2s-draft-title']) : '';
    $content = isset($_POST['b2s-draft-content']) ? wp_kses_post($_POST['b2s-draft-content']) : '';

    // Vulnerability: No check if the current user has permission to edit the specific $post_id
    $post_data = array(
        'ID'           => $post_id,
        'post_title'   => $title,
        'post_content' => $content,
    );

    wp_update_post($post_data);
    
    wp_send_json_success();
}

Security Fix

--- a/includes/Ajax/Curation.php
+++ b/includes/Ajax/Curation.php
@@ -10,7 +10,12 @@
-    if (!current_user_can('read')) {
-        wp_die();
-    }
+    check_ajax_referer('blog2social_nonce');
+    
+    $post_id = isset($_POST['b2s-draft-id']) ? intval($_POST['b2s-draft-id']) : 0;
+
+    if (!current_user_can('edit_post', $post_id)) {
+        wp_send_json_error('Unauthorized');
+        return;
+    }

Exploit Outline

The exploit targets the 'b2s_curation_draft' AJAX action. An attacker first authenticates as a Subscriber and extracts the required nonce from the localized scripts (e.g., blog2social_vars.nonce) present in the WordPress dashboard. They then send a POST request to '/wp-admin/admin-ajax.php' with the 'action' set to 'b2s_curation_draft', the extracted '_wpnonce', a target 'b2s-draft-id' representing the post to overwrite, and the desired 'b2s-draft-title' and 'b2s-draft-content' payloads. Because the plugin only checks if the user has the 'read' capability rather than 'edit_post' for the specific ID, the targeted post is updated with the attacker's content.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/930e7fd6-ae0b-465a-aa93-04ef80011d32?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database