{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39673", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:05.154Z", "datePublished": "2026-04-08T08:30:39.650Z", "dateUpdated": "2026-04-29T09:52:03.914Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "izooto-web-push", "product": "iZooto", "vendor": "shrikantkale", "versions": [{"lessThanOrEqual": "3.7.20", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:40.369Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects iZooto: from n/a through <= 3.7.20.</p>"}], "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:03.914Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/izooto-web-push/vulnerability/wordpress-izooto-plugin-3-7-20-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress iZooto plugin <= 3.7.20 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T18:31:56.420829Z", "id": "CVE-2026-39673", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T19:26:35.454Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39673", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T18:31:56.420829Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:18:50.580Z"}}], "cna": {"title": "WordPress iZooto plugin <= 3.7.20 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "shrikantkale", "product": "iZooto", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.7.20"}], "packageName": "izooto-web-push", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:40.369Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/izooto-web-push/vulnerability/wordpress-izooto-plugin-3-7-20-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects iZooto: from n/a through <= 3.7.20.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:39.650Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39673", "state": "PUBLISHED", "dateUpdated": "2026-04-13T19:26:35.454Z", "dateReserved": "2026-04-07T10:58:05.154Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:39.650Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20."}], "id": "CVE-2026-39673", "lastModified": "2026-04-24T18:06:04.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:38.827", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/izooto-web-push/vulnerability/wordpress-izooto-plugin-3-7-20-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.20]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "iZooto", "source": "cna", "vendor": "shrikantkale"}, "product": "izooto", "vendor": "shrikantkale"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-13T21:22:48.251418+00:00", "value": {"mitigation_remediation": ["Update the iZooto plugin to a version newer than 3.7.20 as soon as an official patch is released", "If a patch is not yet available, disable or uninstall the plugin to eliminate the attack surface", "Review WordPress user role permissions to ensure that only authorized roles can access plugin settings", "Monitor web and error logs for suspicious attempts to interact with the plugin\u2019s administrative endpoints", "Perform a security audit of any custom code that interfaces with the iZooto plugin"], "summary": {"action": "Patch Now", "impact": "Unauthorized access to plugin functionality via broken access control"}, "threat_synthesis": {"affected_systems": "Affected software is the shrikantkale iZooto iZooto\u2011web\u2011push plugin, from the earliest releases up to and including version 3.7.20. Any WordPress site using these plugin versions is exposed; no other vendor or product is listed.", "description_and_impact": "The vulnerability is a missing authorization flaw in the WordPress iZooto plugin that permits actors to bypass intended access controls. This can lead to unauthorized manipulation of the plugin's features and data. The root weakness is an improper permission check (CWE\u2011862).", "risk_and_exploitability": "CVSS score is 5.3, indicating moderate severity, while the EPSS score is below 1\u202f% and the vulnerability is not in the CISA KEV catalogue. The expressed bug concerns incorrectly configured access\u2011control levels, so exploitation could involve a web\u2011based attack that takes advantage of the plugin\u2019s permission checks when interacting with administrative endpoints. The exact attack vector is not explicitly documented, but a web request that targets privileged plugin functionality is inferred as the most probable method. The low exploit probability and lack of a KEV listing suggest that active exploitation is currently unlikely; nevertheless, the medium severity and missing authorization warrant timely remediation."}}}}, "created": "2026-04-08T19:27:59.595433+00:00", "updated": "2026-04-14T16:38:40.463992+00:00", "vendors": ["shrikantkale", "shrikantkale$PRODUCT$izooto", "wordpress", "wordpress$PRODUCT$wordpress"]}