WordPress Plugin Vulnerabilities

Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure

Description

The plugin does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog

Proof of Concept

Open the following URL as a subscriber: https://example.com/wp-admin/admin-ajax.php?action=vczapi_get_wp_users

Affects Plugins

video-conferencing-with-zoom-api

Fixed in version 3.8.17

References

CVE

CVE-2022-0384

URL

https://plugins.trac.wordpress.org/changeset/2671219

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CWE-200

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

91c44c45-994b-4aed-b9f9-7db45924eeb4

Timeline

Publicly Published

2022-02-14 (about 3 months ago)

Added

2022-02-14 (about 3 months ago)

Last Updated

2022-04-08 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin