Blog2Social WordPress Plugin Missing Authorization Vulnerability Allows Arbitrary Post Meta Deletion

A vulnerability exists in the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress, affecting all versions through 8.8.2. The issue arises because the resetSocialMetaTags() function only checks if the user has the 'read' capability and a valid nonce, both of which are accessible to users with Subscriber-level roles. Upon activation, the plugin grants 'blog2social_access' capability to all roles, enabling them to access the plugin's admin pages where the nonce is displayed. This vulnerability allows authenticated attackers with Subscriber-level access or higher to delete all _b2s_post_meta records from the wp_postmeta table, permanently erasing custom social media meta tags for every post on the site.

Impact

Exploitation of this vulnerability leads to unauthorized deletion of social media meta tags from posts, causing potential disruption in how posts are shared or represented on social media platforms.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access must send a request to the 'b2s_reset_social_meta_tags' AJAX action. This can be done by accessing the plugin's admin pages, where the necessary nonce is available. Once the request is sent, all _b2s_post_meta records will be deleted from the wp_postmeta table, removing custom social media meta tags from the posts.

Remediation

Users are advised to update the Blog2Social: Social Media Auto Post & Scheduler plugin to version 8.8.3 or a newer patched version.