What the vulnerability does
01Description
The Social Images Widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'options_update' function in all versions up to, and including, 2.1. This makes it possible for unauthenticated attackers to delete the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
The Social Images Widget for WordPress contains a missing authorization check that allows unauthenticated attackers to modify widget settings over the network. An attacker can change how the widget displays or functions without needing to log in or interact with a site administrator. This affects all versions up to 2.1.
What an attacker can do
03Attacker Capabilities
Modify widget settings and content without authentication.
Potential impact on your site
04Site Impact
Widget behavior or display could be altered by an attacker without your knowledge or consent.
Conditions required to exploit
05Prerequisites
Network access to the WordPress site; no login or user interaction required.
Key dates
06Disclosure timeline
November 25, 2025
CVE published
April 8, 2026
Record updated