What the vulnerability does
01Description
Missing Authorization vulnerability in Zoho Mail Zoho ZeptoMail allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zoho ZeptoMail: from n/a through 3.2.9.
CVE-2025-67972
MEDIUM
CVE-2025-67972: WordPress Zoho ZeptoMail plugin <= 3.2.9 - Broken Access Control vulnerability
CVSS base score
4.3/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Explanation of Vulnerability in Simple Terms
02Summary
ZeptoMail versions up to 3.2.9 lack proper authorization checks, allowing authenticated users to trigger a denial-of-service condition. An attacker with valid credentials can make requests that degrade service availability. The vulnerability requires login access and does not affect data confidentiality or integrity.
What an attacker can do
03Attacker Capabilities
Degrade or disrupt ZeptoMail service availability by making authenticated requests.
Potential impact on your site
04Site Impact
Legitimate users may experience service interruptions if an attacker with credentials exploits this flaw.
Conditions required to exploit
05Prerequisites
Attacker must have valid ZeptoMail login credentials.
Key dates
06Disclosure timeline
February 20, 2026
CVE published
May 21, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2024-1732 Sharkdropship for AliExpress Dropshipping and Affiliate <= 2.2.4 - Missing Authorization to Unauthenticated Arbitrary Post Deletion
CVE-2024-34387 WordPress WP Post Author plugin <= 3.6.4 - Rating Value Manipulation vulnerability
CVE-2024-33956 WordPress Custom WooCommerce Checkout Fields Editor plugin <= 1.3.0 - Broken Access Control vulnerability
CVE-2024-34815 WordPress Import and export users and customers plugin <= 1.26.5 - Broken Access Control vulnerability
CVE-2025-69221 LibreChat has Insufficient Access Control for Agent Permission Queries
