CVE-2026-39673
Missing Authorization in iZooto Web Push Enables Unauthorized Access
Publication date: 2026-04-08
Last updated on: 2026-04-13
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shrikantkale | izooto_web_push | to 3.7.20 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability enables attackers to potentially exploit thousands of websites using the affected plugin, regardless of site popularity or traffic.
Exploitation allows unauthorized users to perform privileged actions, which could lead to unauthorized changes or access within the affected website.
However, the vulnerability is considered low priority with limited impact, and exploitation is unlikely to cause significant damage.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation involves updating the affected iZooto plugin to a version later than 3.7.20.
If updating the plugin is not feasible, users are advised to seek assistance from their hosting provider or web developer to implement alternative protective measures.
Can you explain this vulnerability to me?
The vulnerability in the WordPress iZooto Plugin (versions up to and including 3.7.20) is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain plugin functions.
This flaw allows unauthenticated users to perform actions that normally require higher privileges, effectively bypassing access controls.
It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 5.3, indicating a low priority threat with limited impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in the iZooto WordPress plugin (versions up to 3.7.20) is due to missing authorization and authentication checks, allowing unauthenticated users to perform privileged actions.
To detect this vulnerability on your system, you should first identify if the affected plugin version is installed.
- Check the installed version of the iZooto plugin in your WordPress installation by running: wp plugin list | grep izooto-web-push
- If the version is less than or equal to 3.7.20, the plugin is vulnerable.
Since the vulnerability involves missing access control, you can attempt to access plugin functions or endpoints that require authorization without authentication to test if unauthorized actions are possible.
- Use curl or similar tools to send requests to plugin endpoints without authentication and observe if privileged actions are allowed.
- Example command: curl -X POST https://yourwebsite.com/wp-admin/admin-ajax.php?action=izooto_some_privileged_action
Note that no official patch is currently available, so detection mainly relies on version checking and testing unauthorized access attempts.