CVE-2026-4063

March 13, 2026, 7:55 p.m.

4.3
Medium

Description

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.

Product(s) Impacted

Vendor Product Versions
Wpzoom
  • Social Icons Widget And Block
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wpzoom social_icons_widget_and_block / / / / / wordpress / /

References

https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L110
https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L134
https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/includes/classes/class-wpzoom-social-sharing-buttons.php#L110
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3481444%40social-icons-widget-by-wpzoom%2Ftrunk&old=3462717%40social-icons-widget-by-wpzoom%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d7-364488de9ab8?source=cve

Tags

[email protected]
CWE-862
2026-03-13
CVE-2026-4063

CVSS Score

4.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: March 13, 2026, 7:55 p.m.
Last Modified: March 13, 2026, 7:55 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.