What the vulnerability does
01Description
The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.
Explanation of Vulnerability in Simple Terms
02Summary
The Social Icons Widget & Block plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify widget or block settings they should not have access to. An attacker with a basic user account can alter social media icon configurations or sharing button behavior. This affects versions up to 4.5.8. Update to a version newer than 4.5.8 to resolve the issue.
What an attacker can do
03Attacker Capabilities
Modify social icon widget or block settings without proper permission checks.
Potential impact on your site
04Site Impact
Unauthorized users can alter how social sharing buttons or icons appear and function on your site.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress user account (e.g., Contributor or Subscriber).
Key dates
06Disclosure timeline
March 13, 2026
CVE published
April 8, 2026
Record updated