Description
The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.
Published: 2026-03-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Change
Action: Apply Patch
AI Analysis

Impact

The WPZOOM Social Icons Widget & Block plugin up to version 4.5.8 contains a missing capability check in its add_menu_item() method. This oversight allows any authenticated WordPress user with Subscriber level or higher to trigger wp_insert_post() and update_post_meta() calls that create a new wpzoom‑sharing configuration post. The newly created configuration is automatically published, and the plugin’s the_content filter injects social sharing buttons into every post’s content on the front‑end. The consequence is unauthorized modification of the site’s content presentation, which can lead to deceptive user experience or unintended disclosure of information. The weakness is a classic authorization flaw, specifically documented as CWE-862.

Affected Systems

WordPress sites that have installed the wpzoom:Social Icons Widget & Block – Social Media Icons & Share Buttons plugin with any release up to and including v4.5.8 are affected. The vulnerability resides in the class-wpzoom-social-sharing-buttons.php file, specifically around lines 110 and 134, where the add_menu_item() method is defined. This applies to all users with Subscriber level or higher logging into the WordPress admin area.

Risk and Exploitability

The CVSS score of 4.3 reflects a moderate severity with moderate complexity. EPSS indicates an exploitation probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is authenticated; the attacker simply needs to log in to the back‑end with a Subscriber‑level account (or higher) and invoke the configuration‑creation routine. No additional conditions or external attack prerequisites are described in the available reference material. The exploit can be performed via the admin_menu action hook that triggers plugin configuration creation, and the injected sharing buttons appear immediately on all public posts.

Generated by OpenCVE AI on March 19, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPZOOM Social Icons Widget & Block plugin to the latest released version (≥4.5.9) to remove the missing capability check.
  • If an update is not possible at the time, temporarily disable or uninstall the plugin to prevent unauthorized configuration creation.
  • Search the site for any unexpectedly created wpzoom‑sharing configuration posts and delete them to eliminate unwanted social sharing buttons.

Generated by OpenCVE AI on March 19, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpzoom
Wpzoom social Icons Widget & Block – Social Media Icons & Share Buttons
Vendors & Products Wordpress
Wordpress wordpress
Wpzoom
Wpzoom social Icons Widget & Block – Social Media Icons & Share Buttons

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.
Title Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpzoom Social Icons Widget & Block – Social Media Icons & Share Buttons
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-13T15:57:28.037Z

Reserved: 2026-03-12T17:32:50.022Z

Link: CVE-2026-4063

cve-icon Vulnrichment

Updated: 2026-03-13T15:57:24.323Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:13.300

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-4063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:59:33Z

Weaknesses