Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in shrikantkale iZooto izooto-web-push allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iZooto: from n/a through <= 3.7.20.
AnalysisAI
Missing authorization in iZooto web push plugin versions 3.7.20 and earlier allows unauthenticated remote attackers to modify data through incorrectly configured access control, compromised integrity without requiring authentication or user interaction. CVSS 5.3 reflects the integrity impact; EPSS 0.02% indicates extremely low real-world exploitation probability despite the straightforward attack vector (AV:N, AC:L, PR:N).
Technical ContextAI
iZooto is a web push notification plugin (CPE: cpe:2.3:a:shrikantkale:izooto) that implements access control mechanisms to restrict sensitive operations. The vulnerability stems from CWE-862 (Missing Authorization), indicating that the application fails to properly enforce authorization checks on functionality that should be restricted to authenticated or privileged users. The plugin likely exposes administrative or data-modification endpoints without validating user permissions, allowing the access control security levels to be bypassed through direct API or endpoint manipulation.
RemediationAI
Update iZooto to a patched version beyond 3.7.20 as provided by Shrikantkale. Users should review the Patchstack database entry (https://patchstack.com/database/Wordpress/Plugin/izooto-web-push/vulnerability/wordpress-izooto-plugin-3-7-20-broken-access-control-vulnerability) for specific patched version availability and upgrade instructions. As an interim measure, restrict web server access to iZooto administrative endpoints using network-level controls or web application firewall rules to limit who can reach the unprotected endpoints, though this does not resolve the underlying authorization flaw.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20352
GHSA-xvqj-4fq7-2gfv