CVE-2026-4063

Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.5.9
Patched in
1d
Time to patch

Description

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.5.8
PublishedMarch 12, 2026
Last updatedMarch 13, 2026

What Changed in the Fix

Changes introduced in v4.5.9

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-4063 ## 1. Vulnerability Summary The **Social Icons Widget & Block** plugin (<= 4.5.8) contains a missing authorization vulnerability in the `WPZOOM_Social_Sharing_Buttons::add_menu_item()` method. This method is hooked to `admin_menu`, which executes for any …

Show full research plan

Exploitation Research Plan: CVE-2026-4063

1. Vulnerability Summary

The Social Icons Widget & Block plugin (<= 4.5.8) contains a missing authorization vulnerability in the WPZOOM_Social_Sharing_Buttons::add_menu_item() method. This method is hooked to admin_menu, which executes for any authenticated user accessing the WordPress dashboard.

The method fails to verify if the current user has administrative capabilities before checking for the existence of a "Sharing Configuration" and creating one if it is missing using wp_insert_post(). An attacker with Subscriber-level access can trigger the creation of a published wpzoom-sharing custom post type. Once created, the plugin's the_content filter automatically injects social sharing buttons into all posts on the frontend, resulting in unauthorized data modification and site appearance alteration.

2. Attack Vector Analysis

  • Endpoint: Any admin dashboard URL (e.g., /wp-admin/index.php or /wp-admin/profile.php).
  • Hook: admin_menu
  • Authentication: Authenticated (Subscriber or higher).
  • Preconditions: No existing wpzoom-sharing configuration must exist (the default state after plugin installation).
  • Payload: None required; the mere act of accessing an admin page triggers the vulnerable code path.

3. Code Flow

  1. Hook Registration: In includes/classes/class-wpzoom-social-sharing-buttons.php, the constructor registers the add_menu_item method:
    add_action( 'admin_menu', array( $this, 'add_menu_item' ) );
    
  2. Entry Point: A Subscriber logs in and navigates to /wp-admin/. WordPress fires the admin_menu action.
  3. Vulnerable Method: WPZOOM_Social_Sharing_Buttons::add_menu_item() is called:
    • It calls $this->get_sharing_config().
    • If no post of type wpzoom-sharing exists, it proceeds to the else block.
  4. Data Modification (Sink):
    • The method defines $default_block_content (a string containing Gutenberg block markup).
    • It executes wp_insert_post():
      $post_id = wp_insert_post(
          array(
              'post_title'   => __( 'Social Sharing Buttons', 'social-icons-widget-by-wpzoom' ),
              'post_content' => $default_block_content,
              'post_status'  => 'publish',
              'post_type'    => self::$post_type, // 'wpzoom-sharing'
          )
      );
      
    • It also calls update_post_meta() to set default visibility.
  5. Frontend Impact: The constructor also registers a filter:
    add_filter( 'the_content', array( $this, 'add_sharing_buttons_to_content' ) );
    
    Now that a published wpzoom-sharing post exists, add_sharing_buttons_to_content will find this config and append the sharing buttons to every post/page rendered on the site.

4. Nonce Acquisition Strategy

This vulnerability does not require a nonce. The code executes during the admin_menu lifecycle, which is triggered automatically by WordPress when an authenticated user (including a Subscriber) requests an admin page. No CSRF protection or nonce verification is performed within the add_menu_item method.

5. Exploitation Strategy

  1. Create Subscriber: Use WP-CLI to create a Subscriber user.
  2. Initial State Check: Verify no sharing configuration exists and frontend posts do not have sharing buttons.
  3. Trigger Vulnerability: Log in as the Subscriber and use http_request to access /wp-admin/index.php.
  4. Verify Impact: Check if a new post of type wpzoom-sharing has been created.
  5. Frontend Verification: Check a public post to see if the sharing buttons are now injected.

6. Test Data Setup

  1. Target Plugin: Install social-icons-widget-by-wpzoom version 4.5.8.
  2. Public Content: Create a dummy post to observe frontend changes.
    wp post create --post_type=post --post_title="Victim Post" --post_content="This is the original content." --post_status=publish
    
  3. Attacker User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
    

7. Expected Results

  • The request to /wp-admin/index.php returns a 200 OK (or redirect if first login).
  • A new post appears in the database with post_type = 'wpzoom-sharing' and post_status = 'publish'.
  • A GET request to the "Victim Post" frontend URL contains the HTML for social sharing icons (e.g., <ul class="social-sharing-icons">).

8. Verification Steps

  1. Check Database for Config Post:
    wp post list --post_type=wpzoom-sharing --format=ids
    
    (Expected: Returns an ID, whereas previously it would be empty).
  2. Verify Frontend Content Manipulation:
    # Replace URL with the actual permalink of the created post
    curl -s http://localhost:8080/index.php/victim-post/ | grep "wpzoom-social-sharing-block"
    
    (Expected: Matches found).

9. Alternative Approaches

If /wp-admin/index.php is restricted or behaves unexpectedly, any authenticated admin-context request will trigger the admin_menu hook:

  • Accessing /wp-admin/profile.php.
  • Sending a request to /wp-admin/admin-ajax.php with a valid session cookie (even if the action doesn't exist, the admin environment initializes).

Example backup request:

# Using http_request tool
# Method: GET
# URL: http://localhost:8080/wp-admin/admin-ajax.php?action=noop
# Cookies: [Subscriber Session Cookies]
Research Findings
Static analysis — not yet PoC-verified

Summary

The Social Icons Widget & Block plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in its add_menu_item() method. Authenticated attackers, including those with subscriber-level permissions, can trigger the automatic creation of a 'Sharing Configuration' post simply by accessing any admin page, which subsequently injects social sharing buttons into all frontend content via a content filter.

Vulnerable Code

// includes/classes/class-wpzoom-social-sharing-buttons.php

public function add_menu_item() {
    $parent_slug = 'edit.php?post_type=wpzoom-shortcode';
    
    // Check if there's an existing configuration
    $existing_config = $this->get_sharing_config();
    
    if ( $existing_config ) {
        // ... (truncated)
    } else {
        // No configuration exists, create one
        // Set up default block content with properly serialized block attributes
        $default_block_content = '<!-- wp:wpzoom-blocks/social-sharing ... -->';

        $post_id = wp_insert_post(
            array(
                'post_title'   => __( 'Social Sharing Buttons', 'social-icons-widget-by-wpzoom' ),
                'post_content' => $default_block_content,
                'post_status'  => 'publish',
                'post_type'    => self::$post_type,
            )
        );

        if ( $post_id ) {
            update_post_meta( $post_id, '_wpzoom_sharing_visibility', array( 'post', 'page' ) );
        }
    }
}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/social-icons-widget-by-wpzoom/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php	2026-02-09 14:12:56.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/social-icons-widget-by-wpzoom/4.5.9/includes/classes/class-wpzoom-social-sharing-buttons.php	2026-03-12 19:31:34.000000000 +0000
@@ -108,6 +108,11 @@
 	 * Add menu item
 	 */
 	public function add_menu_item() {
+		// Only administrators should be able to create/manage sharing configuration.
+		if ( ! current_user_can( 'manage_options' ) ) {
+			return;
+		}
+
 		$parent_slug = 'edit.php?post_type=wpzoom-shortcode';
 		
 		// Check if there's an existing configuration

Exploit Outline

1. Authenticate as a user with at least Subscriber-level privileges. 2. Access any WordPress admin dashboard endpoint (e.g., /wp-admin/index.php). 3. The 'admin_menu' hook will trigger the plugin's add_menu_item() method. 4. Because there is no capability check, the method will verify if a 'wpzoom-sharing' post type exists. If it does not (the default state after install), the method executes wp_insert_post() to create a published sharing configuration. 5. Verify that social sharing buttons are now injected into the bottom of all frontend posts/pages via the the_content filter, which relies on the existence of that configuration post.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.