Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster
NextScripts: Social Networks Auto-Poster is a plugin that automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger, Tumblr, Flickr, LinkedIn, Instagram, Telegram, YouTube, WordPress, etc.
During a routine research audit for our Sucuri Firewall, we discovered a post deletion, arbitrary posting in social networks, and arbitrary plugin settings update affecting over 100,000 users of the WordPress plugin.
Disclosure / Response Timeline:
- August 24, 2020: Initial contact attempt.