CVE-2026-4331: CWE-862 Missing Authorization in pr-gateway Blog2Social: Social Media Auto Post & Scheduler
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.
AI Analysis
Technical Summary
The Blog2Social plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the resetSocialMetaTags() function. This function only verifies that the user has 'read' capability and a valid security nonce, both accessible to Subscriber-level users due to the plugin granting 'blog2social_access' capability to all roles. Consequently, an authenticated user with minimal privileges can delete all _b2s_post_meta entries from the wp_postmeta table, resulting in permanent loss of custom social media meta tags across all posts on the site.
Potential Impact
The vulnerability allows authenticated users with Subscriber-level access or higher to cause unauthorized data loss by deleting all social media meta tags stored in the database. This impacts the integrity of social media metadata for every post, potentially disrupting social media sharing and related functionalities. There is no impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level user access or deactivate the Blog2Social plugin if possible. Monitor for updates from the vendor and apply patches promptly once released.
CVE-2026-4331: CWE-862 Missing Authorization in pr-gateway Blog2Social: Social Media Auto Post & Scheduler
Description
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Blog2Social plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the resetSocialMetaTags() function. This function only verifies that the user has 'read' capability and a valid security nonce, both accessible to Subscriber-level users due to the plugin granting 'blog2social_access' capability to all roles. Consequently, an authenticated user with minimal privileges can delete all _b2s_post_meta entries from the wp_postmeta table, resulting in permanent loss of custom social media meta tags across all posts on the site.
Potential Impact
The vulnerability allows authenticated users with Subscriber-level access or higher to cause unauthorized data loss by deleting all social media meta tags stored in the database. This impacts the integrity of social media metadata for every post, potentially disrupting social media sharing and related functionalities. There is no impact on confidentiality or availability reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level user access or deactivate the Blog2Social plugin if possible. Monitor for updates from the vendor and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-17T13:53:00.541Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c4b67cf4197a8e3bc62aef
Added to database: 3/26/2026, 4:30:52 AM
Last enriched: 4/9/2026, 6:52:11 PM
Last updated: 5/10/2026, 6:58:57 AM
Views: 195
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.