{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4063", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T17:32:50.022Z", "datePublished": "2026-03-13T09:25:00.829Z", "dateUpdated": "2026-04-08T16:58:55.714Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:58:55.714Z"}, "affected": [{"vendor": "wpzoom", "product": "Social Icons Widget & Block \u2013 Social Media Icons & Share Buttons", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter."}], "title": "Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d7-364488de9ab8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/includes/classes/class-wpzoom-social-sharing-buttons.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L134"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3481444%40social-icons-widget-by-wpzoom%2Ftrunk&old=3462717%40social-icons-widget-by-wpzoom%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "darkestmode"}], "timeline": [{"time": "2026-03-12T19:20:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-12T20:38:20.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T15:57:20.749250Z", "id": "CVE-2026-4063", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:57:28.037Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4063", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T15:57:20.749250Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T15:57:24.323Z"}}], "cna": {"title": "Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation", "credits": [{"lang": "en", "type": "finder", "value": "darkestmode"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpzoom", "product": "Social Icons Widget & Block \u2013 Social Media Icons & Share Buttons", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.5.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-12T19:20:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-12T20:38:20.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d7-364488de9ab8?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/includes/classes/class-wpzoom-social-sharing-buttons.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L110"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L134"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3481444%40social-icons-widget-by-wpzoom%2Ftrunk&old=3462717%40social-icons-widget-by-wpzoom%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-13T09:25:00.829Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4063", "state": "PUBLISHED", "dateUpdated": "2026-03-13T15:57:28.037Z", "dateReserved": "2026-03-12T17:32:50.022Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-13T09:25:00.829Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter."}, {"lang": "es", "value": "El plugin Social Icons Widget &amp; Block de WPZOOM para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una falta de verificaci\u00f3n de capacidad en el m\u00e9todo add_menu_item() enganchado a admin_menu en todas las versiones hasta la 4.5.8, inclusive. Esto se debe a que el m\u00e9todo realiza llamadas a wp_insert_post() y update_post_meta() para crear una configuraci\u00f3n de compartici\u00f3n sin verificar que el usuario actual tenga capacidades de nivel de administrador. Esto hace posible que atacantes autenticados, con acceso de nivel de Suscriptor y superior, activen la creaci\u00f3n de una publicaci\u00f3n de configuraci\u00f3n de compartici\u00f3n wpzoom publicada con la configuraci\u00f3n predeterminada de los botones de compartici\u00f3n, lo que provoca que los botones de compartici\u00f3n social se inyecten autom\u00e1ticamente en todo el contenido de las publicaciones en el frontend a trav\u00e9s del filtro the_content."}], "id": "CVE-2026-4063", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-13T19:55:13.300", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L134"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/includes/classes/class-wpzoom-social-sharing-buttons.php#L110"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3481444%40social-icons-widget-by-wpzoom%2Ftrunk&old=3462717%40social-icons-widget-by-wpzoom%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d7-364488de9ab8?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Social Icons Widget & Block \u2013 Social Media Icons & Share Buttons", "source": "cna", "vendor": "wpzoom"}, "product": "social_icons_widget_&_block_\u2013_social_media_icons_&_share_buttons", "vendor": "wpzoom"}], "analysis": {"en": {"generated_at": "2026-03-19T16:20:47.808044+00:00", "value": {"mitigation_remediation": ["Update the WPZOOM Social Icons Widget & Block plugin to the latest released version (\u22654.5.9) to remove the missing capability check.", "If an update is not possible at the time, temporarily disable or uninstall the plugin to prevent unauthorized configuration creation.", "Search the site for any unexpectedly created wpzoom\u2011sharing configuration posts and delete them to eliminate unwanted social sharing buttons."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Configuration Change"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the wpzoom:Social Icons Widget & Block \u2013 Social Media Icons & Share Buttons plugin with any release up to and including v4.5.8 are affected. The vulnerability resides in the class-wpzoom-social-sharing-buttons.php file, specifically around lines 110 and 134, where the add_menu_item() method is defined. This applies to all users with Subscriber level or higher logging into the WordPress admin area.", "description_and_impact": "The WPZOOM Social Icons Widget & Block plugin up to version 4.5.8 contains a missing capability check in its add_menu_item() method. This oversight allows any authenticated WordPress user with Subscriber level or higher to trigger wp_insert_post() and update_post_meta() calls that create a new wpzoom\u2011sharing configuration post. The newly created configuration is automatically published, and the plugin\u2019s the_content filter injects social sharing buttons into every post\u2019s content on the front\u2011end. The consequence is unauthorized modification of the site\u2019s content presentation, which can lead to deceptive user experience or unintended disclosure of information. The weakness is a classic authorization flaw, specifically documented as CWE-862.", "risk_and_exploitability": "The CVSS score of 4.3 reflects a moderate severity with moderate complexity. EPSS indicates an exploitation probability of less than 1%, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is authenticated; the attacker simply needs to log in to the back\u2011end with a Subscriber\u2011level account (or higher) and invoke the configuration\u2011creation routine. No additional conditions or external attack prerequisites are described in the available reference material. The exploit can be performed via the admin_menu action hook that triggers plugin configuration creation, and the injected sharing buttons appear immediately on all public posts."}}}}, "created": "2026-03-16T09:37:47.101600+00:00", "updated": "2026-03-23T09:59:33.180078+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpzoom", "wpzoom$PRODUCT$social_icons_widget_&_block_\u2013_social_media_icons_&_share_buttons"]}