Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation
Description
The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.5.8What Changed in the Fix
Changes introduced in v4.5.9
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-4063 ## 1. Vulnerability Summary The **Social Icons Widget & Block** plugin (<= 4.5.8) contains a missing authorization vulnerability in the `WPZOOM_Social_Sharing_Buttons::add_menu_item()` method. This method is hooked to `admin_menu`, which executes for any …
Show full research plan
Exploitation Research Plan: CVE-2026-4063
1. Vulnerability Summary
The Social Icons Widget & Block plugin (<= 4.5.8) contains a missing authorization vulnerability in the WPZOOM_Social_Sharing_Buttons::add_menu_item() method. This method is hooked to admin_menu, which executes for any authenticated user accessing the WordPress dashboard.
The method fails to verify if the current user has administrative capabilities before checking for the existence of a "Sharing Configuration" and creating one if it is missing using wp_insert_post(). An attacker with Subscriber-level access can trigger the creation of a published wpzoom-sharing custom post type. Once created, the plugin's the_content filter automatically injects social sharing buttons into all posts on the frontend, resulting in unauthorized data modification and site appearance alteration.
2. Attack Vector Analysis
- Endpoint: Any admin dashboard URL (e.g.,
/wp-admin/index.phpor/wp-admin/profile.php). - Hook:
admin_menu - Authentication: Authenticated (Subscriber or higher).
- Preconditions: No existing
wpzoom-sharingconfiguration must exist (the default state after plugin installation). - Payload: None required; the mere act of accessing an admin page triggers the vulnerable code path.
3. Code Flow
- Hook Registration: In
includes/classes/class-wpzoom-social-sharing-buttons.php, the constructor registers theadd_menu_itemmethod:add_action( 'admin_menu', array( $this, 'add_menu_item' ) ); - Entry Point: A Subscriber logs in and navigates to
/wp-admin/. WordPress fires theadmin_menuaction. - Vulnerable Method:
WPZOOM_Social_Sharing_Buttons::add_menu_item()is called:- It calls
$this->get_sharing_config(). - If no post of type
wpzoom-sharingexists, it proceeds to theelseblock.
- It calls
- Data Modification (Sink):
- The method defines
$default_block_content(a string containing Gutenberg block markup). - It executes
wp_insert_post():$post_id = wp_insert_post( array( 'post_title' => __( 'Social Sharing Buttons', 'social-icons-widget-by-wpzoom' ), 'post_content' => $default_block_content, 'post_status' => 'publish', 'post_type' => self::$post_type, // 'wpzoom-sharing' ) ); - It also calls
update_post_meta()to set default visibility.
- The method defines
- Frontend Impact: The constructor also registers a filter:
Now that a publishedadd_filter( 'the_content', array( $this, 'add_sharing_buttons_to_content' ) );wpzoom-sharingpost exists,add_sharing_buttons_to_contentwill find this config and append the sharing buttons to every post/page rendered on the site.
4. Nonce Acquisition Strategy
This vulnerability does not require a nonce. The code executes during the admin_menu lifecycle, which is triggered automatically by WordPress when an authenticated user (including a Subscriber) requests an admin page. No CSRF protection or nonce verification is performed within the add_menu_item method.
5. Exploitation Strategy
- Create Subscriber: Use WP-CLI to create a Subscriber user.
- Initial State Check: Verify no sharing configuration exists and frontend posts do not have sharing buttons.
- Trigger Vulnerability: Log in as the Subscriber and use
http_requestto access/wp-admin/index.php. - Verify Impact: Check if a new post of type
wpzoom-sharinghas been created. - Frontend Verification: Check a public post to see if the sharing buttons are now injected.
6. Test Data Setup
- Target Plugin: Install
social-icons-widget-by-wpzoomversion 4.5.8. - Public Content: Create a dummy post to observe frontend changes.
wp post create --post_type=post --post_title="Victim Post" --post_content="This is the original content." --post_status=publish - Attacker User:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
7. Expected Results
- The request to
/wp-admin/index.phpreturns a200 OK(or redirect if first login). - A new post appears in the database with
post_type = 'wpzoom-sharing'andpost_status = 'publish'. - A GET request to the "Victim Post" frontend URL contains the HTML for social sharing icons (e.g.,
<ul class="social-sharing-icons">).
8. Verification Steps
- Check Database for Config Post:
(Expected: Returns an ID, whereas previously it would be empty).wp post list --post_type=wpzoom-sharing --format=ids - Verify Frontend Content Manipulation:
(Expected: Matches found).# Replace URL with the actual permalink of the created post curl -s http://localhost:8080/index.php/victim-post/ | grep "wpzoom-social-sharing-block"
9. Alternative Approaches
If /wp-admin/index.php is restricted or behaves unexpectedly, any authenticated admin-context request will trigger the admin_menu hook:
- Accessing
/wp-admin/profile.php. - Sending a request to
/wp-admin/admin-ajax.phpwith a valid session cookie (even if the action doesn't exist, the admin environment initializes).
Example backup request:
# Using http_request tool
# Method: GET
# URL: http://localhost:8080/wp-admin/admin-ajax.php?action=noop
# Cookies: [Subscriber Session Cookies]
Summary
The Social Icons Widget & Block plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in its add_menu_item() method. Authenticated attackers, including those with subscriber-level permissions, can trigger the automatic creation of a 'Sharing Configuration' post simply by accessing any admin page, which subsequently injects social sharing buttons into all frontend content via a content filter.
Vulnerable Code
// includes/classes/class-wpzoom-social-sharing-buttons.php public function add_menu_item() { $parent_slug = 'edit.php?post_type=wpzoom-shortcode'; // Check if there's an existing configuration $existing_config = $this->get_sharing_config(); if ( $existing_config ) { // ... (truncated) } else { // No configuration exists, create one // Set up default block content with properly serialized block attributes $default_block_content = '<!-- wp:wpzoom-blocks/social-sharing ... -->'; $post_id = wp_insert_post( array( 'post_title' => __( 'Social Sharing Buttons', 'social-icons-widget-by-wpzoom' ), 'post_content' => $default_block_content, 'post_status' => 'publish', 'post_type' => self::$post_type, ) ); if ( $post_id ) { update_post_meta( $post_id, '_wpzoom_sharing_visibility', array( 'post', 'page' ) ); } } }
Security Fix
@@ -108,6 +108,11 @@ * Add menu item */ public function add_menu_item() { + // Only administrators should be able to create/manage sharing configuration. + if ( ! current_user_can( 'manage_options' ) ) { + return; + } + $parent_slug = 'edit.php?post_type=wpzoom-shortcode'; // Check if there's an existing configuration
Exploit Outline
1. Authenticate as a user with at least Subscriber-level privileges. 2. Access any WordPress admin dashboard endpoint (e.g., /wp-admin/index.php). 3. The 'admin_menu' hook will trigger the plugin's add_menu_item() method. 4. Because there is no capability check, the method will verify if a 'wpzoom-sharing' post type exists. If it does not (the default state after install), the method executes wp_insert_post() to create a published sharing configuration. 5. Verify that social sharing buttons are now injected into the bottom of all frontend posts/pages via the the_content filter, which relies on the existence of that configuration post.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.