{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1935", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T21:13:47.975Z", "datePublished": "2026-03-21T03:26:45.342Z", "dateUpdated": "2026-04-08T16:51:16.423Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:16.423Z"}, "affected": [{"vendor": "brainstation23", "product": "Company Posts for LinkedIn", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete LinkedIn post data stored in the site's options table."}], "title": "Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c635405-997e-44ea-8851-7d09051307ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/trunk/admin/class-linkedin-company-posts-admin.php#L625"}, {"url": "https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/tags/1.0.0/admin/class-linkedin-company-posts-admin.php#L625"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "timeline": [{"time": "2026-03-20T15:17:57.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:58:03.057180Z", "id": "CVE-2026-1935", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:58:56.356Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1935", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:58:03.057180Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:58:46.587Z"}}], "cna": {"title": "Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Abhirup Konwar"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "brainstation23", "product": "Company Posts for LinkedIn", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:17:57.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c635405-997e-44ea-8851-7d09051307ad?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/trunk/admin/class-linkedin-company-posts-admin.php#L625"}, {"url": "https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/tags/1.0.0/admin/class-linkedin-company-posts-admin.php#L625"}], "descriptions": [{"lang": "en", "value": "The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete LinkedIn post data stored in the site's options table."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-21T03:26:45.342Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1935", "state": "PUBLISHED", "dateUpdated": "2026-03-23T17:58:56.356Z", "dateReserved": "2026-02-04T21:13:47.975Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:26:45.342Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete LinkedIn post data stored in the site's options table."}, {"lang": "es", "value": "El plugin Company Posts for LinkedIn para WordPress es vulnerable a Autorizaci\u00f3n Faltante en todas las versiones hasta la 1.0.0, inclusive. Esto se debe a una verificaci\u00f3n de capacidad faltante en la funci\u00f3n `linkedin_company_post_reset_handler()` enganchada a `admin_post_reset_linkedin_company_post`. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, eliminen datos de publicaciones de LinkedIn almacenados en la tabla de opciones del sitio."}], "id": "CVE-2026-1935", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:56.800", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/tags/1.0.0/admin/class-linkedin-company-posts-admin.php#L625"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/trunk/admin/class-linkedin-company-posts-admin.php#L625"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c635405-997e-44ea-8851-7d09051307ad?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Company Posts for LinkedIn", "source": "cna", "vendor": "brainstation23"}, "product": "company_posts_for_linkedin", "vendor": "brainstation23"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T06:39:24.396995+00:00", "value": {"mitigation_remediation": ["Apply the latest approved update of the Company Posts for LinkedIn plugin that addresses the missing authorization check.", "Create a comprehensive backup of the WordPress database and site files before making changes.", "If an update is not available, deactivate or uninstall the plugin to eliminate the reset functionality.", "Limit subscriber and other non-admin roles from accessing the WordPress admin area or specifically revoke the capability that triggers post resets.", "Continuously monitor site logs for unauthorized usage of the reset action and verify that future plugin updates include appropriate capability checks."], "summary": {"action": "Patch", "impact": "Unauthorized deletion of LinkedIn post data"}, "threat_synthesis": {"affected_systems": "All installations of the Company Posts for LinkedIn plugin by brainstation23 running version 1.0.0 or earlier are affected. Users who have engaged the plugin on their WordPress sites and configured LinkedIn posting are at risk. No specific WordPress core version is implicated; the issue resides entirely within the plugin.", "description_and_impact": "The Company Posts for LinkedIn plugin for WordPress contains a missing capability check on the function that resets LinkedIn post data. As a result, any authenticated user with Subscriber or higher access can trigger the reset action and remove all LinkedIn post information stored in the site's options table. This weakness falls under Missing Authorization, allowing an attacker to delete stored data that may be important for the site's LinkedIn integration.", "risk_and_exploitability": "The CVSS score is 4.3, indicating moderate risk. Because the vulnerability requires an authenticated user, an attacker must already have legitimate access to the WordPress administrative interface with at least Subscriber level privileges. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited public exploitation data. Nonetheless, the ability to delete stored LinkedIn post data can disrupt automated posting and impact a site\u2019s LinkedIn presence; therefore organizations should treat this as a patchable concern."}}}}, "created": "2026-03-23T09:50:41.248940+00:00", "updated": "2026-03-25T14:42:14.397379+00:00", "vendors": ["brainstation23", "brainstation23$PRODUCT$company_posts_for_linkedin", "wordpress", "wordpress$PRODUCT$wordpress"]}