CVE-2026-1935 in Company Posts for LinkedIn Plugin
Summary
by MITRE • 03/21/2026
The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete LinkedIn post data stored in the site's options table.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-1935 affects the Company Posts for LinkedIn plugin version 1.0.0 and earlier, presenting a critical authorization flaw that undermines the security posture of WordPress installations. This issue stems from insufficient capability validation within the plugin's administrative functionality, specifically targeting the `linkedin_company_post_reset_handler()` function that is registered to handle the `admin_post_reset_linkedin_company_post` action hook. The flaw allows attackers who possess at least Subscriber-level privileges to execute unauthorized operations against the plugin's data management features, creating a significant vector for data manipulation and potential information disclosure.
The technical implementation of this vulnerability resides in the absence of proper user capability checks within the WordPress administrative post handler. When an authenticated user accesses the plugin's reset functionality through the admin_post_reset_linkedin_company_post hook, the system fails to verify whether the requesting user possesses the necessary permissions to perform the operation. This missing authorization check represents a direct violation of the principle of least privilege, where users should only be granted the minimum permissions required to perform their intended functions. The vulnerability specifically impacts the plugin's ability to manage LinkedIn post data stored within the WordPress options table, which typically contains configuration settings and cached information related to LinkedIn integration.
The operational impact of this vulnerability extends beyond simple data deletion, as it provides attackers with the ability to manipulate LinkedIn post configurations and potentially disrupt the integration between the WordPress site and LinkedIn corporate accounts. An attacker with Subscriber-level access can leverage this flaw to reset LinkedIn company post data, which may include access tokens, post scheduling configurations, or other critical integration parameters. This capability could lead to service disruption, data loss, or potentially enable further attacks if the reset operation affects authentication credentials or configuration settings that control the LinkedIn API integration. The vulnerability is particularly concerning because it requires minimal privilege escalation and can be exploited through standard WordPress administrative interfaces.
Mitigation strategies for CVE-2026-1935 should prioritize immediate plugin updates to versions that address the authorization flaw, as this represents the most direct solution to the vulnerability. Organizations should implement comprehensive access control reviews, ensuring that only users with appropriate administrative privileges can access plugin management functions. The WordPress security community should also consider implementing additional monitoring mechanisms to detect unauthorized access attempts to administrative endpoints. From a compliance perspective, this vulnerability aligns with CWE-863, which addresses "Incorrect Authorization" issues in software systems, and may be categorized under ATT&CK technique T1078 for Valid Accounts and T1485 for Data Destruction, depending on the specific exploitation patterns observed in the wild. Organizations should also conduct thorough security audits of all installed plugins to identify similar authorization gaps that may exist in other third-party components.