{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4331", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-17T13:53:00.541Z", "datePublished": "2026-03-26T03:37:27.541Z", "dateUpdated": "2026-04-08T17:02:57.800Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:57.800Z"}, "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.8.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site."}], "title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc46bc4-ecfb-438f-b951-7b957489cd96?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1290"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1290"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1281"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1281"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.3/includes/Ajax/Post.php#L1301"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Mariusz Maik"}], "timeline": [{"time": "2026-03-17T14:08:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-25T14:26:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:58:57.835307Z", "id": "CVE-2026-4331", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:59:06.700Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:58:57.835307Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:59:01.043Z"}}], "cna": {"title": "Blog2Social: Social Media Auto Post & Scheduler <= 8.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Deletion via 'b2s_reset_social_meta_tags' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Mariusz Maik"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "pr-gateway", "product": "Blog2Social: Social Media Auto Post & Scheduler", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "8.8.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-17T14:08:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-25T14:26:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc46bc4-ecfb-438f-b951-7b957489cd96?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1290"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1290"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1281"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1281"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L37"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.3/includes/Ajax/Post.php#L1301"}], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:02:57.800Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4331", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:02:57.800Z", "dateReserved": "2026-03-17T13:53:00.541Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-26T03:37:27.541Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site."}, {"lang": "es", "value": "El plugin Blog2Social: Social Media Auto Post &amp; Scheduler para WordPress es vulnerable a la p\u00e9rdida de datos no autorizada en todas las versiones hasta la 8.8.2, inclusive. Esto se debe a que la funci\u00f3n resetSocialMetaTags() solo verifica que el usuario tiene la capacidad 'read' y un b2s_security_nonce v\u00e1lido, ambos disponibles para usuarios con nivel de Suscriptor, ya que el plugin otorga la capacidad 'blog2social_access' a todos los roles al activarse, permiti\u00e9ndoles acceder a las p\u00e1ginas de administraci\u00f3n del plugin donde se genera el nonce. Esto hace posible que atacantes autenticados, con acceso de nivel de Suscriptor o superior, eliminen todos los registros _b2s_post_meta de la tabla wp_postmeta, eliminando permanentemente todas las metaetiquetas personalizadas de redes sociales para cada publicaci\u00f3n en el sitio."}], "id": "CVE-2026-4331", "lastModified": "2026-04-24T16:35:20.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-26T05:16:40.477", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1281"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L1290"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Ajax/Post.php#L37"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.2/includes/Loader.php#L2202"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/tags/8.8.3/includes/Ajax/Post.php#L1301"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1281"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L1290"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Ajax/Post.php#L37"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/blog2social/trunk/includes/Loader.php#L2202"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7dc46bc4-ecfb-438f-b951-7b957489cd96?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.8.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Blog2Social: Social Media Auto Post & Scheduler", "source": "cna", "vendor": "pr-gateway"}, "product": "blog2social:_social_media_auto_post_&_scheduler", "vendor": "pr-gateway"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T05:23:13.870550+00:00", "value": {"mitigation_remediation": ["Upgrade Blog2Social to version 8.8.3 or newer, which removes the vulnerability. If upgrading is delayed, consider disabling the AJAX endpoint or restricting the plugin\u2019s access capability to administrators only. Verify that only administrators can edit or reset social meta tags. Ensure that any subscriber-level users are not granted the 'blog2social_access' capability."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized deletion of social media meta tags"}, "threat_synthesis": {"affected_systems": "The issue affects the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress in all releases up to and including 8.8.2. Users of any role who have basic read permissions can exploit the flaw because the plugin grants access to its admin pages on activation.", "description_and_impact": "The vulnerability lies in the resetSocialMetaTags() function, which only checks for a generic 'read' capability and a nonce. Because all WordPress roles receive the plugin\u2019s 'blog2social_access' capability, authorized subscribers can invoke the AJAX action that deletes every _b2s_post_meta record. The result is a loss of custom social media meta data for all posts, damaging the site\u2019s social sharing configuration and potentially breaking cross\u2011platform integrations. No code execution or data exfiltration is possible, but the integrity of post metadata is compromised.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the attack requires a logged\u2011in user with at least subscriber level rights. Because the vulnerability depends on a legitimate AJAX endpoint that accepts a valid nonce, the exploitation cost is low for authenticated users. No EPSS data or KEV listing is available, but the weakness (CWE\u2011862) is widely known and could be abused by attackers with common access privileges."}}}}, "created": "2026-03-26T11:30:40.080210+00:00", "updated": "2026-03-26T12:08:40.624649+00:00", "vendors": ["pr-gateway", "pr-gateway$PRODUCT$blog2social:_social_media_auto_post_&_scheduler", "wordpress", "wordpress$PRODUCT$wordpress"]}