{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12563", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-31T19:07:24.936Z", "datePublished": "2025-11-06T04:36:21.892Z", "dateUpdated": "2026-04-08T16:46:16.390Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:16.390Z"}, "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory."}], "title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f139-0f17-426c-b48c-4c42ae4bab5f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "thinnawarth mathuros"}], "timeline": [{"time": "2025-10-31T19:23:04.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-05T16:35:38.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-06T14:08:43.147578Z", "id": "CVE-2025-12563", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T14:08:53.571Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12563", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-06T14:08:43.147578Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T14:08:50.311Z"}}], "cna": {"title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload", "credits": [{"lang": "en", "type": "finder", "value": "thinnawarth mathuros"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.6.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-31T19:23:04.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-05T16:35:38.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f139-0f17-426c-b48c-4c42ae4bab5f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:16.390Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12563", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:46:16.390Z", "dateReserved": "2025-10-31T19:07:24.936Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-06T04:36:21.892Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory."}], "id": "CVE-2025-12563", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-06T05:16:05.130", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3389636/blog2social"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3710f139-0f17-426c-b48c-4c42ae4bab5f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:37:45.548785+00:00", "value": {"mitigation_remediation": ["Update Blog2Social to the latest version (8.6.1 or newer) where the capability check has been fixed", "If an update is not immediately possible, restrict the file types allowed for media uploads in WordPress settings to exclude .mp4 files or set stricter capability checks for the Video Upload feature", "Consider disabling the video upload feature entirely for Subscriber and lower roles via a role\u2011management plugin or code snippet"], "summary": {"action": "Patch", "impact": "Unauthorized video file upload"}, "threat_synthesis": {"affected_systems": "All WordPress installations running Blog2Social version 8.6.0 or earlier are impacted. This includes any site that has installed the plugin without updating to a newer release that removes the capability check. Site administrators should verify the currently installed plugin version and ensure it is at 8.6.1 or higher.", "description_and_impact": "The Blog2Social plugin, a WordPress extension for auto\u2011posting to social media, contains a flaw where the uploadVideo() function checks the user capability incorrectly. Consequently, any authenticated user with Subscriber or higher role can upload MP4 files to the wp\u2011content/uploads folder, potentially leading to unauthorized content placement on the site. This allows attackers to alter site media storage, hide malicious content, or exploit other weaknesses relying on the presence of uploaded files. The weakness is a classic example of incorrect authorization and is classified as CWE\u2011862.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate severity. With an EPSS score of less than 1%, the likelihood of exploitation is extremely low at present. The vulnerability is not listed in the CISA KEV catalog, reducing its prominence. The attack vector requires authenticated access; therefore, users with Subscriber privileges can abuse the flaw. In practice, exploitation would involve uploading an MP4 file to the uploads directory, which may then be accessed publicly or used in further attacks if the site's security posture is otherwise weak."}}}}, "created": "2025-11-06T10:06:45.353325+00:00", "updated": "2026-04-22T00:45:04.158141+00:00", "vendors": ["blog2social", "blog2social$PRODUCT$blog2social", "wordpress", "wordpress$PRODUCT$wordpress"]}