WordPress Plugin Vulnerabilities

eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams < 1.5.7 - Unauthenticated Sensitive Information Exposure

Description

The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access.

Affects Plugins

Plugin icon
eroom-zoom-meetings-webinar
Fixed in 1.5.7

References

CVE
CVE-2025-11760
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0baaa6b7-3884-465e-bae3-46edab6312d4

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Rafshanzani Suhada
Verified
No
WPVDB ID
51b9a1a6-eaf6-4d13-95d7-5cc7df93676f

Timeline

Publicly Published
2025-10-24 (about 8 months ago)
Added
2025-10-24 (about 8 months ago)
Last Updated
2025-10-25 (about 8 months ago)

Other

Published
Title
Published
2025-11-26
Title
eRoom < 1.5.7 - Unauthenticated Information Exposure
Published
2024-06-19
Title
Event Monster < 1.4.4 - Unauthenticated Information Exposure
Published
2026-02-01
Title
rtMedia for WordPress, BuddyPress and bbPress < 4.7.9 - Unauthenticated Information Exposure
Published
2025-08-17
Title
IDonatePro <= 2.1.9 - Authenticated (Subscriber+) Information Exposure
Published
2024-02-20
Title
Backup Bolt < 1.4.0 - Sensitive Data Exposure