cbcvebase.
CVE-2024-30464
published 2024-06-09

CVE-2024-30464: Missing Authorization vulnerability in WPZOOM Social Icons Widget & Block by WPZOOM.This issue affects Social Icons Widget & Block by WPZOOM: from n/a through…

PriorityP258high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.52%
71.4th percentile
Missing Authorization vulnerability in WPZOOM Social Icons Widget & Block by WPZOOM.This issue affects Social Icons Widget & Block by WPZOOM: from n/a through 4.2.15.

Affected

2 ranges
VendorProductVersion rangeFixed in
wpzoomsocial_icons_widget< 4.2.164.2.16
wpzoomsocial_icons_widget_block_by_wpzoomn/a – 4.2.15

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/social-icons-widget-by-wpzoom/readme.txt
path/wp-admin/admin-ajax.php
commandaction=zoom_ajax_set_pointer_transient&transient_name={{rand}}&lifetime=3600
path/plugins/social-icons-widget-by-wpzoom/
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the action parameter set to 'zoom_ajax_set_pointer_transient', which is the vulnerable AJAX endpoint requiring no special authorization.
  • A successful exploitation response contains both the string 'Done, transient is set' and '"success":true' in the response body.
  • Fingerprint vulnerable installations by fetching the plugin readme.txt and checking for a stable tag version of 4.2.15 or below.
  • The exploit requires only low-privilege authenticated access (PR:L); monitor for low-privilege WordPress users making AJAX calls to the zoom_ajax_set_pointer_transient action.
  • ·The vulnerability affects WPZOOM Social Icons Widget & Block versions up to and including 4.2.15; version 4.2.16 and later are patched.
  • ·Exploitation requires no special conditions beyond low-privilege authentication (a standard WordPress subscriber account is sufficient).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.