CVE-2026-39673
Received Received - Intake
Missing Authorization in iZooto Web Push Enables Unauthorized Access

Publication date: 2026-04-08

Last updated on: 2026-04-13

Assigner: Patchstack

Description
Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39673
EUVD
EUVD-2026-20352
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shrikantkale izooto_web_push to 3.7.20 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

The immediate mitigation involves updating the affected iZooto plugin to a version later than 3.7.20.

If updating the plugin is not feasible, users are advised to seek assistance from their hosting provider or web developer to implement alternative protective measures.

Detection Guidance

The vulnerability in the iZooto WordPress plugin (versions up to 3.7.20) is due to missing authorization and authentication checks, allowing unauthenticated users to perform privileged actions.

To detect this vulnerability on your system, you should first identify if the affected plugin version is installed.

  • Check the installed version of the iZooto plugin in your WordPress installation by running: wp plugin list | grep izooto-web-push
  • If the version is less than or equal to 3.7.20, the plugin is vulnerable.

Since the vulnerability involves missing access control, you can attempt to access plugin functions or endpoints that require authorization without authentication to test if unauthorized actions are possible.

  • Use curl or similar tools to send requests to plugin endpoints without authentication and observe if privileged actions are allowed.
  • Example command: curl -X POST https://yourwebsite.com/wp-admin/admin-ajax.php?action=izooto_some_privileged_action

Note that no official patch is currently available, so detection mainly relies on version checking and testing unauthorized access attempts.

Impact Analysis

This vulnerability enables attackers to potentially exploit thousands of websites using the affected plugin, regardless of site popularity or traffic.

Exploitation allows unauthorized users to perform privileged actions, which could lead to unauthorized changes or access within the affected website.

However, the vulnerability is considered low priority with limited impact, and exploitation is unlikely to cause significant damage.

Executive Summary

The vulnerability in the WordPress iZooto Plugin (versions up to and including 3.7.20) is a Broken Access Control issue caused by missing authorization, authentication, or nonce token checks in certain plugin functions.

This flaw allows unauthenticated users to perform actions that normally require higher privileges, effectively bypassing access controls.

It is classified under the OWASP Top 10 category A1: Broken Access Control and has a CVSS severity score of 5.3, indicating a low priority threat with limited impact.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39673. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart