Vulnerabilities and security researches forblog2social blog2social
Direction: ascendingJun 07, 2024
Blog2Social: Social Media Auto Post & Scheduler # CVE-2019-17550
- CVE, Research URL
- Date
- Nov 14, 2019
- Research Description
- The Blog2Social plugin before 5.9.0 for WordPress is affected by: Cross Site Scripting (XSS). The impact is: Allows an attacker to execute arbitrary HTML and JavaScript code via the b2s_id parameter. The component is: views/b2s/post.calendar.php. The attack vector is: When the Administrator is logged in, a reflected XSS may execute upon a click on a malicious URL.
- Affected versions
-
max 5.9.0.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2019-9576
- CVE, Research URL
- Date
- Mar 06, 2019
- Research Description
- The Blog2Social plugin before 5.0.3 for WordPress allows wp-admin/admin.php?page=blog2social-ship XSS.
- Affected versions
-
max 5.6.0.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2021-24956
- CVE, Research URL
- Date
- Dec 21, 2021
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.8.7 does not sanitise and escape the b2sShowByDate parameter before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting issue
- Affected versions
-
max 6.8.7.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2022-3622
- CVE, Research URL
- Date
- Oct 20, 2023
- Research Description
- The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to change some plugin settings intended to be modifiable by admins only.
- Affected versions
-
max 7.2.1.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2021-24137
- CVE, Research URL
- Date
- Mar 18, 2021
- Research Description
- Unvalidated input in the Blog2Social WordPress plugin, versions before 6.3.1, lead to SQL Injection in the Re-Share Posts feature, allowing authenticated users to inject arbitrary SQL commands.
- Affected versions
-
max 6.3.1.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2022-3246
- CVE, Research URL
- Date
- Oct 25, 2022
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscribers
- Affected versions
-
max 5.0.1.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2019-13572
- CVE, Research URL
- Date
- Aug 01, 2019
- Research Description
- The Adenion Blog2Social plugin through 5.5.0 for WordPress allows SQL Injection.
- Affected versions
-
max 5.6.0.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2023-3936
- CVE, Research URL
- Date
- Aug 21, 2023
- Research Description
- The Blog2Social WordPress plugin before 7.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
- Affected versions
-
max 7.2.1.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2022-3247
- CVE, Research URL
- Date
- Oct 25, 2022
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 6.9.10 does not have authorisation in an AJAX action, and does not ensure that the URL to make a request to is an external one. As a result, any authenticated users, such as subscriber could perform SSRF attacks
- Affected versions
-
max 6.9.10.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2023-40554
- CVE, Research URL
- Date
- Sep 06, 2023
- Research Description
- Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Blog2Social, Adenion Blog2Social: Social Media Auto Post & Scheduler plugin <= 7.2.0 versions.
- Affected versions
-
max 7.2.1.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2024-3678
- CVE, Research URL
- Date
- Apr 26, 2024
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.4.2. This makes it possible for unauthenticated attackers to view limited information from password protected posts.
- Affected versions
-
max 7.5.0.
- Status
-
vulnerable
Jun 13, 2024
Blog2Social: Social Media Auto Post & Scheduler # CVE-2024-3549
- CVE, Research URL
- Date
- Jun 11, 2024
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the 'b2sSortPostType' parameter in all versions up to, and including, 7.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 7.4.2.
- Status
-
vulnerable
Aug 02, 2024
Blog2Social: Social Media Auto Post & Scheduler # CVE-2024-7302
- CVE, Research URL
- Date
- Aug 01, 2024
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 3gp2 file uploads in all versions up to, and including, 7.5.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the 3gp2 file.
- Affected versions
-
max 7.5.5.
- Status
-
vulnerable
Jun 14, 2025
Blog2Social: Social Media Auto Post & Scheduler # CVE-2025-4133
- CVE, Research URL
- Date
- May 22, 2025
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler WordPress plugin before 8.4.0 does not escape the title of posts when outputting them in a dashboard, which could allow users with the contributor role to perform Cross-Site Scripting attacks.
- Affected versions
-
max 8.4.0.
- Status
-
vulnerable
Jun 17, 2025
Blog2Social: Social Media Auto Post & Scheduler # CVE-2025-5673
- CVE, Research URL
- Date
- Jun 17, 2025
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the ‘prgSortPostType’ parameter in all versions up to, and including, 8.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 8.4.5.
- Status
-
vulnerable
Nov 11, 2025
Blog2Social: Social Media Auto Post & Scheduler # CVE-2025-12563
- CVE, Research URL
- Date
- Nov 06, 2025
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to, and including, 8.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload mp4 files to the 'wp-content/uploads/<YYYY>/<MM>/' directory.
- Affected versions
-
max 8.6.1.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2025-12560
- CVE, Research URL
- Date
- Nov 06, 2025
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.6.0 via the getFullContent() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
- Affected versions
-
max 8.6.1.
- Status
-
vulnerable
Dec 10, 2025
Blog2Social: Social Media Auto Post & Scheduler # CVE-2025-13558
- CVE, Research URL
- Date
- Nov 25, 2025
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'deleteUserCcDraftPost' function in all versions up to, and including, 8.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the status of arbitrary posts to trash.
- Affected versions
-
max 8.7.1.
- Status
-
vulnerable
Jan 28, 2026
Blog2Social: Social Media Auto Post & Scheduler # CVE-2025-14943
- CVE, Research URL
- Date
- Jan 10, 2026
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.
- Affected versions
-
max 8.7.3.
- Status
-
vulnerable
Apr 13, 2026
Blog2Social: Social Media Auto Post & Scheduler # CVE-2026-4331
- CVE, Research URL
- Date
- Mar 26, 2026
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.
- Affected versions
-
max 8.8.3.
- Status
-
vulnerable
Blog2Social: Social Media Auto Post & Scheduler # CVE-2026-4330
- CVE, Research URL
- Date
- Apr 08, 2026
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.
- Affected versions
-
max 8.8.4.
- Status
-
vulnerable
Apr 15, 2026
Blog2Social: Social Media Auto Post & Scheduler # CVE-2026-1942
- CVE, Research URL
- Date
- Feb 18, 2026
- Research Description
- The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the b2s_curation_draft AJAX action in all versions up to, and including, 8.7.4. The curationDraft() function only verifies current_user_can('read') without checking whether the user has edit_post permission for the target post. Combined with the plugin granting UI access and nonce exposure to all roles, this makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the title and content of arbitrary posts and pages by supplying a target post ID via the 'b2s-draft-id' parameter.
- Affected versions
-
max 8.7.5.
- Status
-
vulnerable