WordPress Plugin Vulnerabilities

Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation

Description

The plugin contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.

Proof of Concept

Affects Plugins

Plugin icon
video-conferencing-with-zoom-api
Fixed in 4.6.6

References

CVE
CVE-2026-1368

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
7.5 (high)

Miscellaneous

Original Researcher
yiğit ibrahim sağlam
Submitter
yiğit ibrahim sağlam
Submitter website
https://ibrahimsql.com
Submitter twitter
ibrahimsql
Verified
Yes
WPVDB ID
218e6655-c5aa-4bce-86b2-cad3bb20020c

Timeline

Publicly Published
2026-01-28 (about 21 days ago)
Added
2026-01-28 (about 20 days ago)
Last Updated
2026-01-28 (about 20 days ago)

Other

Published
Title
Published
2024-06-03
Title
Social Login Lite For WooCommerce <= 1.6.0 - Authentication Bypass
Published
2015-04-27
Title
WP Ultimate CSV Importer < 3.7.1 - Directory Traversal
Published
2025-01-06
Title
PayU CommercePro Plugin < 3.8.4 - Unauthenticated Privilege Escalation
Published
2025-02-28
Title
SetSail Membership < 1.1 - Authentication Bypass
Published
2016-05-06
Title
safe-editor <= 1.1 - Unauthenticated CSS/JS-injection