vulnerability
WordPress Plugin: blog2social: CVE-2025-14943: Incorrect Authorization
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:P/I:N/A:N) | Jan 9, 2026 | Jan 12, 2026 | Jan 12, 2026 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
Jan 9, 2026
Added
Jan 12, 2026
Modified
Jan 12, 2026
Description
The Blog2Social: Social Media Auto Post and Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.
Solution
blog2social-plugin-cve-2025-14943
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.