CVE-2026-4063

Name of the Vulnerable Software and Affected Versions WPZOOM Social Icons Widget & Block versions up to and including 4.5.8

Description The Social Icons Widget & Block plugin for WordPress is susceptible to unauthorized data modification. This occurs because of a missing capability check within the add menu item() function, which is connected to the admin menu action. The function uses wp insert post() and update post meta() to create sharing configurations without verifying that the current user has administrator-level permissions. This allows authenticated attackers with Subscriber-level access or higher to create a published wpzoom-sharing configuration post with default sharing button settings. Consequently, social sharing buttons are automatically injected into all post content on the frontend through the the content filter.

Recommendations Update WPZOOM Social Icons Widget & Block to version 4.5.9 or later.