{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4330", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T13:51:34.020Z", "datePublished": "2026-04-08T07:43:03.247Z", "dateUpdated": "2026-04-08T17:32:59.960Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:59.960Z"}, "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts."}], "title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3eec9c6-fef9-4d6e-8328-51efb997c99c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2183"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2183"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2273"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2273"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2322"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2322"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Ship/Save.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Ship/Save.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2178"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2178"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/changeset/3494550/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Mariusz Maik"}], "timeline": [{"time": "2026-03-17T14:06:50.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T19:13:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:18:25.729120Z", "id": "CVE-2026-4330", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:18:34.903Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4330", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:18:25.729120Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:18:30.610Z"}}], "cna": {"title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Post Schedule Modification via 'b2s_id' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "Mariusz Maik"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T14:06:50.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T19:13:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3eec9c6-fef9-4d6e-8328-51efb997c99c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2183"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2183"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2273"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2273"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2322"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2322"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Ship/Save.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Ship/Save.php#L190"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2178"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2178"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/changeset/3494550/"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:59.960Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4330", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:59.960Z", "dateReserved": "2026-03-17T13:51:34.020Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T07:43:03.247Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts."}], "id": "CVE-2026-4330", "lastModified": "2026-04-24T18:15:28.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T08:16:23.733", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2178"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2183"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2273"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L2322"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Post/Tools.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/B2S/Ship/Save.php#L190"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2178"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2183"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2273"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L2322"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Post/Tools.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/B2S/Ship/Save.php#L190"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3494550/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3eec9c6-fef9-4d6e-8328-51efb997c99c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.8.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Blog2Social: Social Media Auto Post & Scheduler", "source": "cna", "vendor": "pr-gateway"}, "product": "blog2social:_social_media_auto_post_&_scheduler", "vendor": "pr-gateway"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:38:50.593984+00:00", "value": {"mitigation_remediation": ["Update Blog2Social plugin to the latest version that contains the fix (any release above 8.8.3).", "If an update is not immediately available, consider temporarily disabling scheduled post features or revoking Subscriber privileges until a fix can be applied.", "Verify that the plugin\u2019s source files match the author\u2019s checksum or file hashes to detect tampering."], "summary": {"action": "Patch immediately", "impact": "Unauthorized modification of scheduled social media posts"}, "threat_synthesis": {"affected_systems": "Affected systems include any WordPress installation running Blog2Social plugin version 8.8.3 or earlier. The vulnerability is present in all releases up to and including 8.8.3, regardless of the operating environment. There are no additional external dependencies listed beyond the plugin itself.", "description_and_impact": "The Blog2Social plugin, a WordPress add\u2011on used for scheduling social media content, contains an authorization bypass that allows any authenticated user with Subscriber level or higher to change the schedule of posts belonging to other users. During the AJAX request, the plugin does not verify that the provided 'b2s_id' value belongs to the current user before performing the UPDATE or DELETE operation. This creates a classic Insecure Direct Object Reference flaw (CWE\u2011639) that can lead to unwanted reposting, rescheduling or deletion of posts, thereby compromising the organization\u2019s social media integrity.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.3, indicating moderate severity. Because an attacker must first authenticate with a WordPress account that has at least Subscriber role, the exploitation window is limited to sites with widespread or easily compromised credentials. The EPSS score is not available, and the flaw is not currently catalogued in CISA\u2019s KEV list. The likely attack path requires a valid login, selection of a target post, and submission of the 'b2s_id' parameter with an ID that does not belong to the logged\u2011in user."}}}}, "created": "2026-04-08T19:30:56.456074+00:00", "updated": "2026-04-08T19:43:27.098979+00:00", "vendors": ["pr-gateway", "pr-gateway$PRODUCT$blog2social:_social_media_auto_post_&_scheduler", "wordpress", "wordpress$PRODUCT$wordpress"]}