Skip to main content

Izooto EUVDEUVD-2026-20352

| CVE-2026-39673 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-xvqj-4fq7-2gfv
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:43 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20352
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20.

AnalysisAI

Missing authorization in iZooto web push plugin versions 3.7.20 and earlier allows unauthenticated remote attackers to modify data through incorrectly configured access control, compromised integrity without requiring authentication or user interaction. CVSS 5.3 reflects the integrity impact; EPSS 0.02% indicates extremely low real-world exploitation probability despite the straightforward attack vector (AV:N, AC:L, PR:N).

Technical ContextAI

iZooto is a web push notification plugin (CPE: cpe:2.3:a:shrikantkale:izooto) that implements access control mechanisms to restrict sensitive operations. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the application fails to properly enforce authorization checks on functionality that should be restricted to authenticated or privileged users. The plugin likely exposes administrative or data-modification endpoints without validating user permissions, allowing the access control security levels to be bypassed through direct API or endpoint manipulation.

RemediationAI

Update iZooto to a patched version beyond 3.7.20 as provided by Shrikantkale. Users should review the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/izooto-web-push/vulnerability/wordpress-izooto-plugin-3-7-20-broken-access-control-vulnerability) for specific patched version availability and upgrade instructions. As an interim measure, restrict web server access to iZooto administrative endpoints using network-level controls or web application firewall rules to limit who can reach the unprotected endpoints, though this does not resolve the underlying authorization flaw.

Share

EUVD-2026-20352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy