Blog2Social Missing Authorization Vulnerability Allows Deletion of Arbitrary Post Records

A vulnerability exists in the Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress, affecting all versions through 8.9.0. The issue stems from a lack of proper authorization checks in the 'deleteUserPublishPost' and 'deleteUserSchedPost' functions. These functions fail to verify post ownership, enabling authenticated attackers to delete any user's B2S post records by sending specific post ID values through the 'postId' parameter. This vulnerability disrupts the content publishing process by allowing the deletion of scheduled and published social media posts from other users.

Impact

Exploitation of this vulnerability allows authenticated users to delete published and scheduled social media post records of other users, disrupting their content publishing workflows.

Reproduction

To reproduce this vulnerability, an authenticated user (with subscriber privileges) can send a request to the WordPress site with an arbitrary post ID value in the 'postId' parameter. The request will be processed by the vulnerable 'deleteUserPublishPost' or 'deleteUserSchedPost' functions, which will delete the specified post record without verifying the user's ownership of the post.

Remediation

Users are advised to update the Blog2Social: Social Media Auto Post & Scheduler plugin to version 8.9.1 or later.