Does iZooto – Web Push Notifications have any unpatched vulnerabilities?

Yes — iZooto – Web Push Notifications currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is iZooto – Web Push Notifications compatible with WordPress 6.9.4?

According to WordPress.org data, iZooto – Web Push Notifications 3.7.20 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is iZooto – Web Push Notifications updated?

iZooto – Web Push Notifications was last updated on Jan 20, 2026. Frequent updates are generally a positive security signal.

What is iZooto – Web Push Notifications's security score?

iZooto – Web Push Notifications has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

iZooto – Web Push Notifications Security & Risk Analysis

wordpress.org/plugins/izooto-web-push

Engage your audience and drive repeat traffic by delivering relevant and personalized push notifications - across web browsers, Android, iOS and Messe …

1K active installs v3.7.20 PHP + WP 3.0.1+ Updated Jan 20, 2026

app-push-notificationsbrowser-push-notificationsmessenger-push-notificationspush-notificationsweb-push-notifications

B · Generally Safe

CVEs total1

Unpatched1

Last CVEFeb 19, 2026

Plugin page Download

Safety Verdict

Is iZooto – Web Push Notifications Safe to Use in 2026?

Mostly Safe

Score 78/100

iZooto – Web Push Notifications is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Feb 19, 2026Updated 3mo ago

Risk Assessment

The izooto-web-push plugin v3.7.20 exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation and a high percentage of properly escaped output, there are significant concerns regarding its attack surface and lack of authentication checks.

The static analysis reveals one AJAX handler that lacks any authentication checks, presenting a direct entry point for potential malicious activity. Although taint analysis did not uncover critical or high severity vulnerabilities, the two identified flows with unsanitized paths are concerning and warrant further investigation, especially in conjunction with the unprotected AJAX handler. The absence of capability checks and the presence of external HTTP requests also add to the potential attack vectors.

The plugin's vulnerability history is remarkably clean, with no known CVEs. This lack of past issues is a positive indicator, suggesting either a strong development focus on security or limited exposure to sophisticated attacks. However, the presence of unprotected entry points in the current version means that this clean history could be a temporary state. Overall, the plugin has strengths in its handling of SQL and output, but the unprotected AJAX handler and unsanitized paths represent tangible risks that need to be addressed.

Key Concerns

Unprotected AJAX handler
Flows with unsanitized paths detected
Missing capability checks

Vulnerabilities

1 published

iZooto – Web Push Notifications Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-39673medium · 5.3Missing Authorization

iZooto <= 3.7.20 - Missing Authorization

Feb 19, 2026Unpatched

Version History

iZooto – Web Push Notifications Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

iZooto – Web Push Notifications Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

52 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

88% escaped59 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

izooto_curl_request (includes\class-izwoocommeventshelper.php:210)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

iZooto – Web Push Notifications Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_error_alertincludes\class-init.php:325

WordPress Hooks 16

actioninitincludes\admin.php:12

actionadmin_menuincludes\admin.php:13

actionadmin_enqueue_scriptsincludes\admin.php:14

actionadmin_noticesincludes\izootometa.php:19

actionadd_meta_boxesincludes\izootometa.php:421

actionsave_postincludes\izootometa.php:424

actionadmin_initincludes\izootometa.php:426

actiontransition_post_statusincludes\izootometa.php:429

filterquery_varsincludes\izootosdk.php:105

actionwp_headincludes\izootosdk.php:106

actionwp_footerincludes\izootosdk.php:107

actionparse_requestincludes\izootosdk.php:108

actionwoocommerce_add_to_cartincludes\izwoocommevents.php:233

actionwoocommerce_thankyouincludes\izwoocommevents.php:236

actionwoocommerce_after_single_productincludes\izwoocommevents.php:239

actionwoocommerce_after_main_contentincludes\izwoocommevents.php:242

Maintenance & Trust

iZooto – Web Push Notifications Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 20, 2026

PHP min version

Downloads59K

Community Trust

Rating100/100

Number of ratings4

Active installs1K

Alternatives

iZooto – Web Push Notifications Alternatives

RollerAds – Web Push Notifications

rollerads

RollerAds - clear and flexible web-push service for webmasters. Push notifications are successfully used to send promotional content, user information …

100 No CVEs

Web Push Notifications – Webpushr

webpushr-web-push-notifications

Fastest growing & lightweight plugin for Web Push Notifications. Add browser push notifications to your WordPress & WooCommerce site.

10K 4 CVEs

Perfecty Push Notifications

perfecty-push-notifications

100

Push Notifications that are self-hosted, you don't need API keys to integrate with external Push Notifications providers that will charge you lat …

5K No CVEs

Gravitec.net – Web Push Notifications

gravitec-net-web-push-notifications

Easy-to-use and smart push notifications for your website. Increase subscriptions and repeat visits with minimal effort.

1K 1 CVE

Pushly

pushly

100

Take user engagement to a whole new level with an easy-to-use platform to engage audiences with targeted content after they leave your site.

1K No CVEs

Developer Profile

iZooto – Web Push Notifications Developer Profile

shrikantkale

1 plugin · 1K total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect iZooto – Web Push Notifications

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/izooto-web-push/assets/css/unminified/admin_style.css/wp-content/plugins/izooto-web-push/assets/css/unminified/iznotify_style.css/wp-content/plugins/izooto-web-push/assets/js/unminified/admin_init.js/wp-content/plugins/izooto-web-push/assets/js/unminified/cookies.js/wp-content/plugins/izooto-web-push/assets/js/unminified/iznotify_editor_script.js/wp-content/plugins/izooto-web-push/assets/js/unminified/iznotify_script.js

Script Paths

https://fonts.googleapis.com/icon?family=Material+Icons

HTML / DOM Fingerprints

CSS Classes

izooto-wordpressizooto-logoshadow-cardcard-container-heightsection-twoizooto-footerform-control

HTML Comments

+4 more

Data Attributes

id="token"name="token"id="edit-token"id="tokensubmit"name="tokensubmit"id="freshUser"+1 more

JS Globals

params

FAQ