CVE-2026-1942: CWE-862 Missing Authorization in pr-gateway Blog2Social: Social Media Auto Post & Scheduler
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft() function only verifies current_user_can('read') without checking whether the user has edit_post permission for the target post. Combined with the plugin granting UI access and nonce exposure to all roles, this makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the title and content of arbitrary posts and pages by supplying a target post ID via the 'b2s-draft-id' parameter.
AI Analysis
Technical Summary
The Blog2Social plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the b2s_curation_draft AJAX action. The curationDraft() function checks only for 'read' capability but does not verify 'edit_post' permissions on the targeted post. Because the plugin exposes UI elements and nonces to all user roles, authenticated users with minimal privileges (Subscriber or higher) can supply a post ID via the 'b2s-draft-id' parameter to overwrite the title and content of arbitrary posts and pages. This vulnerability affects all versions up to and including 8.7.4.
Potential Impact
An authenticated user with Subscriber-level or higher privileges can modify the content and titles of any posts or pages on the affected WordPress site without proper authorization. This can lead to unauthorized content changes, defacement, misinformation, or other integrity issues. There is no direct impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict plugin access to trusted user roles and consider disabling the plugin if unauthorized content modification risk is unacceptable. Monitor for updates from the vendor addressing this missing authorization issue.
CVE-2026-1942: CWE-862 Missing Authorization in pr-gateway Blog2Social: Social Media Auto Post & Scheduler
Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft() function only verifies current_user_can('read') without checking whether the user has edit_post permission for the target post. Combined with the plugin granting UI access and nonce exposure to all roles, this makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the title and content of arbitrary posts and pages by supplying a target post ID via the 'b2s-draft-id' parameter.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Blog2Social plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the b2s_curation_draft AJAX action. The curationDraft() function checks only for 'read' capability but does not verify 'edit_post' permissions on the targeted post. Because the plugin exposes UI elements and nonces to all user roles, authenticated users with minimal privileges (Subscriber or higher) can supply a post ID via the 'b2s-draft-id' parameter to overwrite the title and content of arbitrary posts and pages. This vulnerability affects all versions up to and including 8.7.4.
Potential Impact
An authenticated user with Subscriber-level or higher privileges can modify the content and titles of any posts or pages on the affected WordPress site without proper authorization. This can lead to unauthorized content changes, defacement, misinformation, or other integrity issues. There is no direct impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict plugin access to trusted user roles and consider disabling the plugin if unauthorized content modification risk is unacceptable. Monitor for updates from the vendor addressing this missing authorization issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-04T21:32:56.502Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699594d680d747be205fb502
Added to database: 2/18/2026, 10:30:46 AM
Last enriched: 4/9/2026, 6:37:01 PM
Last updated: 5/22/2026, 5:08:15 AM
Views: 115
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.