WordPress Plugin Vulnerabilities

Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure

Description

The plugin does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog

Proof of Concept

Affects Plugins

Plugin icon
video-conferencing-with-zoom-api
Fixed in 3.8.17

References

CVE
CVE-2022-0384
URL
https://plugins.trac.wordpress.org/changeset/2671219

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Submitter
Krzysztof Zając
Submitter website
https://kazet.cc/
Verified
Yes
WPVDB ID
91c44c45-994b-4aed-b9f9-7db45924eeb4

Timeline

Publicly Published
2022-02-14 (about 3 years ago)
Added
2022-02-14 (about 3 years ago)
Last Updated
2022-04-08 (about 3 years ago)

Other

Published
Title
Published
2024-05-03
Title
Mooberry Book Manager < 4.15.13 - Unauthenticated Information Exposure via Export Files
Published
2024-08-12
Title
Create by Mediavine < 1.9.9 - Unauthenticated Sensitive Information Exposure
Published
2024-02-02
Title
LearnDash LMS < 4.10.2 - Sensitive Information Exposure via assignments
Published
2024-12-10
Title
Restrict – membership, site, content and user access restrictions for WordPress < 2.2.9 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure
Published
2024-07-15
Title
AForms < 2.2.7 - Unauthenticated Full Path Disclosure