CVE-2025-11760
BaseFortify
Publication date: 2025-10-25
Last updated on: 2025-10-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordfence | eroom_zoom_meetings_webinar | 1.5.6 |
| wordfence | eroom_zoom_meetings_webinar | 1.5.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the eRoom β Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams for WordPress, versions up to 1.5.6. It exposes Zoom SDK secret keys in client-side JavaScript within the meeting view template. Because these secret keys are visible to anyone, unauthenticated attackers can extract the sdk_secret value, which should be kept server-side. This exposure compromises the security of the Zoom integration and allows attackers to generate valid JWT signatures to gain unauthorized access to meetings.
How can this vulnerability impact me? :
The vulnerability can allow unauthenticated attackers to obtain secret keys and generate valid JWT signatures, leading to unauthorized access to meetings. This compromises the confidentiality of meetings, potentially exposing sensitive information to unauthorized parties.