CVE-2024-2189 – This vulnerability in the Social Icons Widget &... (How to Fix)

Q: What is the severity of CVE-2024-2189?

CVE-2024-2189 has a CVSS score of 6.1 (MEDIUM). This vulnerability in the Social Icons Widget & Block by WPZOOM WordPress plugin allows administrators to inject malicious scripts into widget settings, which then execute in other users' browsers. It affects WordPress sites using vulnerable plugin versions, particularly in multisite configurations where unfiltered_html is restricted.

📋 TL;DR

This vulnerability in the Social Icons Widget & Block by WPZOOM WordPress plugin allows administrators to inject malicious scripts into widget settings, which then execute in other users' browsers. It affects WordPress sites using vulnerable plugin versions, particularly in multisite configurations where unfiltered_html is restricted.

💻 Affected Systems

Products:

Social Icons Widget & Block by WPZOOM WordPress plugin

Versions: Versions before 4.2.18

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin-level access; particularly relevant in WordPress multisite setups where unfiltered_html capability is disallowed.

📦 What is this software?

Social Icons Widget by Wpzoom

View all CVEs affecting Social Icons Widget →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leads to site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Malicious admin injects scripts to steal session cookies, redirect users, or deface the site.

🟢

If Mitigated

Limited to admin users only, with minimal impact if proper user access controls are enforced.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin privileges; proof-of-concept details are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.18

Vendor Advisory: https://wpscan.com/vulnerability/b8661fbe-78b9-4d29-90bf-5b68af468eb6/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Social Icons Widget & Block by WPZOOM'. 4. Click 'Update Now' if available, or manually update to version 4.2.18 or later.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the plugin until patched.

wp plugin deactivate social-icons-widget-by-wpzoom

Restrict admin access

all

Limit administrative accounts to trusted users only.

🧯 If You Can't Patch

Remove admin privileges from untrusted users.
Implement web application firewall (WAF) rules to block XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins.

Check Version:

wp plugin get social-icons-widget-by-wpzoom --field=version

Verify Fix Applied:

Confirm plugin version is 4.2.18 or later after update.

📡 Detection & Monitoring

Log Indicators:

Unusual admin activity modifying widget settings
Script tags in widget configuration data

Network Indicators:

Unexpected JavaScript execution from widget content

SIEM Query:

source="wordpress" AND event="plugin_update" AND plugin_name="social-icons-widget-by-wpzoom" AND version<"4.2.18"

📊 Metadata

CVE ID: CVE-2024-2189

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: May 21, 2024

Last Updated: May 21, 2025

🔗 References

https://wpscan.com/vulnerability/b8661fbe-78b9-4d29-90bf-5b68af468eb6/ Exploit,Third Party Advisory
https://wpscan.com/vulnerability/b8661fbe-78b9-4d29-90bf-5b68af468eb6/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2189, you might also want to check these: