Vulnerability Description
The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.
- https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.
- https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/i
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d
FAQ
What is CVE-2026-4063?
CVE-2026-4063 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in a...
How severe is CVE-2026-4063?
CVE-2026-4063 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-4063?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.