CVE-2026-39673

The iZooto WordPress plugin versions up to and including 3.7.20 contain a missing authorization vulnerability. The plugin fails to properly validate access control security levels, leaving certain functions exposed without adequate permission checks. This is a classic case of broken access control, where the software does not enforce the intended restrictions for authenticated versus unauthenticated users [1].

Exploitation of this vulnerability does not require authentication. Attackers can send crafted requests to the affected plugin's endpoints, bypassing the intended authorization checks. The attack surface is wide, as the plugin is installed on many WordPress sites, and the flaw can be leveraged without prior access or specific privileges [1].

Successful exploitation allows an attacker to perform actions that should be reserved for higher-privileged users. This could include modifying plugin settings, accessing sensitive configurations, or executing other unauthorized operations, depending on the specific functions that are missing authorization. The vulnerability is rated Medium (CVSS 5.3) due to the limited direct impact on confidentiality or integrity but is still concerning because of the ease of exploitation [1].

As a mitigation, site administrators should immediately update the iZooto plugin to a version newer than 3.7.20. If updating is not immediately possible, restricting access to the plugin's admin pages or seeking assistance from a hosting provider is recommended. No workaround is officially provided other than applying the patch [1].