CVE-2025-30960 identifies a Missing Authorization vulnerability in the FS Poster WordPress plugin developed by fs-code, affecting all versions up to 6.5.8. FS Poster is widely used for automating social media posts from WordPress sites. The vulnerability arises because the plugin fails to properly enforce authorization checks on certain functions or endpoints, allowing attackers to bypass access controls. This can enable unauthorized users to perform privileged actions such as posting content, modifying settings, or accessing sensitive data without authentication. The vulnerability was reserved in late March 2025 and published in mid-April 2025, with no CVSS score assigned yet and no known exploits in the wild. The absence of patches or mitigation details suggests that users must take immediate protective measures. Missing authorization issues are critical in web applications as they directly undermine access control mechanisms, potentially leading to privilege escalation, data leakage, or service manipulation. Given FS Poster's role in managing social media content, exploitation could also facilitate reputational damage or social engineering attacks by posting malicious or misleading content on behalf of the victim site.

The impact of this vulnerability is significant for organizations using FS Poster to manage social media automation. Unauthorized access could allow attackers to post unauthorized content, manipulate social media campaigns, or extract sensitive configuration data. This can lead to reputational damage, loss of customer trust, and potential legal or compliance issues if sensitive data is exposed. Additionally, attackers could leverage compromised social media accounts for phishing or spreading malware. The integrity and confidentiality of the affected systems are at risk, while availability impact is likely limited but possible if attackers disrupt plugin functionality. Since FS Poster is a WordPress plugin, the scope includes any WordPress site using this plugin, which can be extensive globally. The ease of exploitation is moderate to high because no authentication is required, and exploitation only requires sending crafted requests to the vulnerable endpoints. Organizations relying heavily on social media marketing or those with high-profile WordPress sites are particularly vulnerable.

Until an official patch is released, organizations should implement strict access controls at the web server and application level to restrict access to FS Poster endpoints. Employing Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized requests targeting FS Poster can reduce risk. Administrators should audit and monitor logs for unusual activity related to social media posting or plugin configuration changes. Limiting plugin usage to trusted administrators and disabling or uninstalling FS Poster if not essential can mitigate exposure. Keeping WordPress core and other plugins updated reduces the attack surface. Once a patch is available, immediate application is critical. Additionally, organizations should review their social media accounts for unauthorized posts and reset credentials if suspicious activity is detected. Implementing multi-factor authentication (MFA) for WordPress admin accounts can further reduce risk from compromised credentials.