Security Alert Summary
The Social Icons Widget & Block by WPZOOM plugin contains a missing capability check in an admin hook that allows authenticated users with Subscriber-level access and above to create a published sharing configuration post. That created configuration injects social sharing buttons into post content on the frontend.
CVE Details
- CVE ID: CVE-2026-4063
- Affected plugin / component: The Social Icons Widget & Block by WPZOOM plugin for WordPress
- Affected versions: All versions up to, and including, 4.5.8
- Published: March 13, 2026 at 7:55:13 PM UTC
- Last modified: March 13, 2026 at 7:55:13 PM UTC
- CVSS v3.1: Base Score 4.3, Severity MEDIUM; Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Authentication / Privileges / User interaction: Requires authentication; privileges required: low (Subscriber-level access and above as stated in the description); user interaction: none
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE / weakness ID: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is caused by a missing capability check in the add_menu_item() method that is hooked to admin_menu. The method performs wp_insert_post() and update_post_meta() calls to create a sharing configuration (a published wpzoom-sharing configuration post) without verifying the current user has administrator-level capabilities.
Because the plugin creates a published sharing configuration with default settings, the sharing buttons are then injected into all post content on the frontend via the the_content filter. The issue arises from an authorization failure (missing capability check) that allows low-privilege authenticated users to perform these post and meta operations.
How This Could Impact Your Website
In a multi-user WordPress site (site owner / administrator, internal staff editors, and external contributors or contractors), an authenticated user with Subscriber-level access or higher could trigger creation of a published sharing configuration. That configuration causes social sharing buttons to appear sitewide in post content without administrator approval.
Practical consequences include unexpected or unwanted content changes that affect how posts are displayed to visitors and an increased risk of targeted phishing or social engineering if attackers are able to use content modifications to influence visitor behavior. The integrity of post content is impacted at a low level; this does not indicate full site compromise based on the information provided.
professional review If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles and capabilities, especially for contributors and subscribers.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from your site.
- Monitor site activity and logs for unexpected post creation or other unusual behavior.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L110
- https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L134
- https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/includes/classes/class-wpzoom-social-sharing-buttons.php#L110
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3481444%40social-icons-widget-by-wpzoom%2Ftrunk&old=3462717%40social-icons-widget-by-wpzoom%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d7-364488de9ab8?source=cve
