{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39673", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:05.154Z", "datePublished": "2026-04-08T08:30:39.650Z", "dateUpdated": "2026-04-08T08:30:39.650Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "izooto-web-push", "product": "iZooto", "vendor": "shrikantkale", "versions": [{"lessThanOrEqual": "3.7.20", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:40.369Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects iZooto: from n/a through <= 3.7.20.</p>"}], "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:39.650Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/izooto-web-push/vulnerability/wordpress-izooto-plugin-3-7-20-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress iZooto plugin <= 3.7.20 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20."}], "id": "CVE-2026-39673", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:38.827", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/izooto-web-push/vulnerability/wordpress-izooto-plugin-3-7-20-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.20]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "iZooto", "source": "cna", "vendor": "shrikantkale"}, "product": "izooto", "vendor": "shrikantkale"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:33:50.355072+00:00", "value": {"mitigation_remediation": ["Update the iZooto plugin to a version newer than 3.7.20", "Verify that access control settings for the plugin are properly configured", "If an update is not possible, consider disabling or uninstalling the plugin to eliminate the risk"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The affected product is the iZooto WordPress plugin by shrikantkale. All releases up to and including version 3.7.20 are vulnerable.", "description_and_impact": "The iZooto WordPress plugin contains a missing authorization flaw (CWE-862) that allows attackers to bypass configured access control settings. This vulnerability lets users access functions normally reserved for administrators, potentially compromising the site\u2019s integrity and confidentiality.", "risk_and_exploitability": "Based on the description, it is inferred that the exploitation can occur through standard HTTP requests to the plugin's administrative endpoints. The missing security check indicates that anyone who can reach the site could use the flaw, making the risk high. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the severity of the unauthorized access warrants immediate mitigation."}}}}, "created": "2026-04-08T19:27:59.595433+00:00", "updated": "2026-04-08T19:41:02.892663+00:00", "vendors": ["shrikantkale", "shrikantkale$PRODUCT$izooto", "wordpress", "wordpress$PRODUCT$wordpress"]}