The Wordfence Threat Intelligence team responsibly disclosed a Missing Authorization vulnerability in Blog2Social, a WordPress plugin installed on over 70,000 sites that allows users to set up post sharing to various social networks. Vulnerable versions of the plugin make it possible for authenticated attackers with minimal permissions, such as subscribers, to change the plugin’s settings.
Blog2Social: Social Media Auto Post & Scheduler is a plugin offered by Blog2Social/Adenion that provides content-creators with the ability to quickly share site content to their social media accounts. It offers automatic post sharing as well as optimized scheduling and also extends some of its features to subscribers, enabling them to share posts to their own social media accounts.
As part of the plugin’s functionality, there are some more advanced settings that can be managed. Unfortunately, this was implemented insecurely making it possible for authenticated attackers to update these settings even without the authorization to do so.