Security Alert Summary
The Company Posts for LinkedIn plugin for WordPress contains a missing authorization check that allows authenticated users with Subscriber-level access or higher to trigger a handler that deletes LinkedIn post data stored in the site options table. The issue affects all versions up to and including 1.0.0.
CVE Details
- CVE ID: CVE-2026-1935
- Affected component: Company Posts for LinkedIn plugin for WordPress
- Affected versions: All versions up to, and including, 1.0.0
- Published: March 21, 2026 at 4:16:56 AM UTC
- Last modified: March 21, 2026 at 4:16:56 AM UTC
- CVSS v3.1: Base Score 4.3 (MEDIUM) — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Authentication / privileges / user interaction: Privileges Required: Low (authenticated user such as Subscriber); User Interaction: None
- Primary impact: Confidentiality: None; Integrity: Low (deletion/modification of plugin-stored data); Availability: None
- Weakness (CWE): CWE-862 (Missing Authorization)
Technical Details
The vulnerability is a Missing Authorization issue caused by a missing capability check on the linkedin_company_post_reset_handler() function. This function is hooked to the admin_post_reset_linkedin_company_post action, and it performs deletion of LinkedIn-related post data stored in the WordPress options table without verifying that the current user has the appropriate capability to perform that action.
Because the code does not enforce a capability check before performing the delete operation, any authenticated user with Subscriber-level access or higher can invoke the handler and remove the stored LinkedIn post data. The impact is limited to integrity of the plugin-stored data in the options table; there is no indication in the provided data of confidentiality or availability effects beyond that data modification.
How This Could Impact Your Website
In a multi-user WordPress site, a typical scenario might involve a site owner who delegates content management to internal staff and external contributors. An authenticated contributor or contractor who only has Subscriber-level access could, intentionally or by following a crafted request, trigger the vulnerable handler and delete LinkedIn post data saved in the site’s options table.
Practical consequences include loss of LinkedIn post history, removal of scheduled posts or stored metadata used for social publishing, and additional administrative work to restore content and reconfigure the integration from backups. These disruptions can interrupt your social media workflow and require time from administrators to recover lost items.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and other non-administrative accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins to reduce attack surface.
- Monitor site activity and logs for unusual behavior related to plugin settings or option changes.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/tags/1.0.0/admin/class-linkedin-company-posts-admin.php#L625
- https://plugins.trac.wordpress.org/browser/company-posts-for-linkedin/trunk/admin/class-linkedin-company-posts-admin.php#L625
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4c635405-997e-44ea-8851-7d09051307ad?source=cve
