CVE-2026-4063 MEDIUM

CVE-2026-4063: Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation

Vendor Wpzoom
Product Social Icons Widget & Block – Social Media Icons & Share Buttons
Weakness CWE-862 · Missing authorization
Published March 13, 2026
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.

Explanation of Vulnerability in Simple Terms

02Summary

The Social Icons Widget & Block plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify widget or block settings they should not have access to. An attacker with a basic user account can alter social media icon configurations or sharing button behavior. This affects versions up to 4.5.8. Update to a version newer than 4.5.8 to resolve the issue.

What an attacker can do

03Attacker Capabilities

Modify social icon widget or block settings without proper permission checks.

Potential impact on your site

04Site Impact

Unauthorized users can alter how social sharing buttons or icons appear and function on your site.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., Contributor or Subscriber).

Key dates

06Disclosure timeline

March 13, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE