Description
Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Immediate Patch
AI Analysis

Impact

The iZooto WordPress plugin contains a missing authorization flaw (CWE-862) that allows attackers to bypass configured access control settings. This vulnerability lets users access functions normally reserved for administrators, potentially compromising the site’s integrity and confidentiality.

Affected Systems

The affected product is the iZooto WordPress plugin by shrikantkale. All releases up to and including version 3.7.20 are vulnerable.

Risk and Exploitability

Based on the description, it is inferred that the exploitation can occur through standard HTTP requests to the plugin's administrative endpoints. The missing security check indicates that anyone who can reach the site could use the flaw, making the risk high. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the severity of the unauthorized access warrants immediate mitigation.

Generated by OpenCVE AI on April 8, 2026 at 10:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the iZooto plugin to a version newer than 3.7.20
  • Verify that access control settings for the plugin are properly configured
  • If an update is not possible, consider disabling or uninstalling the plugin to eliminate the risk

Generated by OpenCVE AI on April 8, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Shrikantkale
Shrikantkale izooto
Wordpress
Wordpress wordpress
Vendors & Products Shrikantkale
Shrikantkale izooto
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20.
Title WordPress iZooto plugin <= 3.7.20 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Shrikantkale Izooto
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:39.650Z

Reserved: 2026-04-07T10:58:05.154Z

Link: CVE-2026-39673

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:38.827

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:41:02Z

Weaknesses