[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fYfqx6zAETNgBDN-CRgp6dRYl7Y03uJS1-mnXd3dy9m8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":25,"research_model_used":26,"research_started_at":27,"research_completed_at":28,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":29},"CVE-2026-39673","izooto-missing-authorization","iZooto \u003C= 3.7.20 - Missing Authorization","The iZooto plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.7.20. This makes it possible for unauthenticated attackers to perform an unauthorized action.","izooto-web-push",null,"\u003C=3.7.20","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-19 00:00:00","2026-04-15 21:27:31",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1b1268ae-51b0-4243-9cc8-c8564c121ff2?source=api-prod",[],"researched",false,3,"This research plan outlines the process for identifying and exploiting a missing authorization vulnerability in the **iZooto – Web Push Notifications** plugin (versions \u003C= 3.7.20).\n\n### 1. Vulnerability Summary\nThe iZooto plugin fails to implement proper capability checks on certain AJAX or initialization handlers. This \"Missing Authorization\" vulnerability allows unauthenticated attackers to invoke functions that were intended for administrative use, potentially leading to unauthorized modification of plugin settings, such as the iZooto App ID or integration keys.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `wp-admin\u002Fadmin-ajax.php` or a hook on `admin_init` \u002F `init`.\n* **Action (Inferred):** Likely `iz_save_settings`, `izooto_save_settings`, or `sync_izooto_settings`.\n* **Payload Parameter:** `action`, `nonce` (if applicable), and setting fields like `izooto_app_id`.\n* **Authentication:** Unauthenticated (as per the vulnerability description).\n* **Preconditions:** The plugin must be active.\n\n### 3. Code Flow (Inferred)\n1. The plugin registers an AJAX action or an `admin_init` hook in the main plugin file or an includes class (e.g., `izooto.php` or `includes\u002Fclass-izooto.php`).\n2. **Entry Point:** An unauthenticated request is sent to `admin-ajax.php?action=[VULNERABLE_ACTION]`.\n3. **Missing Check:** The handler function (e.g., `iz_save_settings()`) is invoked. It likely lacks a `current_user_can( 'manage_options' )` check.\n4. **Sink:** The function processes user-supplied input from `$_POST` and passes it to `update_option()`, allowing settings to be overwritten.\n\n### 4. Nonce Acquisition Strategy\nTo determine if a nonce is required and how to obtain it:\n1. **Locate Registration:** Search for the action registration:\n `grep -rn \"wp_ajax_\" .`\n2. **Analyze Handler:** Check if the handler uses `check_ajax_referer()` or `wp_verify_nonce()`.\n3. **Identify Localization:** If a nonce is required, find where it is passed to the frontend:\n `grep -rn \"wp_localize_script\" .`\n4. **Extraction:**\n * Identify the script handle and the object name (e.g., `izooto_ajax_obj`).\n * Find which page enqueues this script (typically the plugin settings page, but sometimes the public frontend for subscriber tracking).\n * If available on the frontend, create a post\u002Fpage to trigger the script if necessary:\n `wp post create --post_type=page --post_status=publish --post_content='[izooto_shortcode]'` (Verify actual shortcode name via `grep -r \"add_shortcode\" .`).\n * Navigate to the page using `browser_navigate`.\n * Execute: `browser_eval(\"window.izooto_ajax_obj?.nonce\")` (Replace `izooto_ajax_obj` and `nonce` with the actual keys found in the code).\n\n### 5. Exploitation Strategy\nThe goal is to modify the plugin's configuration unauthenticated.\n\n1. **Discovery:** Use the following to find the exact vulnerable action and parameter:\n ```bash\n grep -rnE \"update_option|update_site_option\" . -A 5 | grep -B 5 \"wp_ajax\"\n ```\n2. **Target Settings:** Identify the option name used to store the iZooto App ID (likely `izooto_settings` or `iz_app_id`).\n3. **HTTP Request (Example):**\n * **Method:** `POST`\n * **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n * **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n * **Body:**\n ```\n action=iz_save_settings&iz_app_id=ATTACKER_APP_ID&nonce=[EXTRACTED_NONCE]\n ```\n *(Note: If the check is entirely missing, the nonce parameter can be omitted or sent as a dummy value.)*\n\n### 6. Test Data Setup\n1. Install and activate iZooto \u003C= 3.7.20.\n2. Configure a legitimate App ID via the WordPress admin UI initially to establish a baseline:\n `wp option update izooto_settings '{\"app_id\":\"12345\"}'` (Example structure).\n3. Identify the required parameters by inspecting the settings form in the admin dashboard.\n\n### 7. Expected Results\n* The server should return a `200 OK` or a JSON success response (e.g., `{\"success\":true}`).\n* The targeted WordPress option (e.g., `izooto_settings`) should be updated with the attacker's value.\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the state change via WP-CLI:\n```bash\n# Check if the option value has changed\nwp option get izooto_settings\n```\nExpected output: The data should now reflect the `ATTACKER_APP_ID`.\n\n### 9. Alternative Approaches\n* **Check `admin_init` Hook:** If no `wp_ajax_nopriv` is found, the vulnerability may exist in a function hooked to `admin_init`. Since `admin_init` runs for every request to `wp-admin\u002Fadmin-ajax.php` (even for unauthenticated users), an unprotected hook here is a common source of \"Missing Authorization.\"\n * Look for: `add_action( 'admin_init', 'vulnerable_function' )`.\n * Check if `vulnerable_function` processes `$_POST` without checking `current_user_can`.\n* **REST API:** Check for registered REST routes:\n `grep -rn \"register_rest_route\" .`\n Inspect the `permission_callback`. If it is `__return_true` or missing, the endpoint is unauthenticated.","The iZooto plugin for WordPress is vulnerable to unauthorized access in versions up to and including 3.7.20 due to a missing capability check on administrative functions. This allows unauthenticated attackers to invoke these functions, potentially leading to unauthorized modification of plugin settings such as the App ID and integration keys.","1. Identify the vulnerable AJAX action (e.g., 'iz_save_settings') or administrative hook (e.g., 'admin_init') used for updating plugin configuration.\n2. Determine the required POST parameters for updating settings, such as 'iz_app_id', by inspecting the plugin's settings page.\n3. Verify if a security nonce is required; if so, identify a method to extract it from the public frontend or script localization.\n4. Send an unauthenticated POST request to 'wp-admin\u002Fadmin-ajax.php' containing the vulnerable action and the desired configuration values.\n5. Confirm the vulnerability by verifying that the targeted option in the WordPress database (e.g., 'izooto_settings') has been updated with the attacker-supplied value.","gemini-3-flash-preview","2026-04-19 02:24:14","2026-04-19 02:24:33",{"type":30,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":31},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fizooto-web-push\u002Ftags"]