WordPress Plugin Vulnerabilities

Social Icons Widget & Block by WPZOOM < 4.2.16 - Missing Authorization

Description

The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the zoom_ajax_set_pointer_transient() function in versions up to, and including, 4.2.15. This makes it possible for authenticated attackers, with subscriber-level access and above, to set pointer transients.

Affects Plugins

Plugin icon
social-icons-widget-by-wpzoom
Fixed in 4.2.16

References

CVE
CVE-2024-30464
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/27e4d27f-b943-4cb3-b38a-01192844e9ac

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
6ad70216-966e-4638-8fc1-b401635ce4b9

Timeline

Publicly Published
2024-03-28 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-04-04 (about 2 years ago)

Other

Published
Title
Published
2024-04-05
Title
Advanced Local Pickup for WooCommerce < 1.6.3 - Missing Authorization
Published
2026-04-10
Title
Tutor LMS < 3.9.8 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment
Published
2025-05-09
Title
Lead Form Data Collection to CRM < 3.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2024-04-17
Title
Wp Ultimate Review < 2.3.0 - Missing Authorization
Published
2023-10-31
Title
WooODT Lite < 2.4.7 - Missing Authorization to Arbitrary Options Update