CVE-2026-1368
Broken Nonce Verification in Zoom WordPress Plugin Enables Key Exposure
Publication date: 2026-02-18
Last updated on: 2026-02-18
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zoom | video_conferencing_with_zoom_api | to 4.6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-1368 is a vulnerability in the WordPress plugin "Video Conferencing with Zoom API" versions before 4.6.6. The issue arises because an AJAX handler in the plugin has its nonce verification disabled (commented out). This flaw allows unauthenticated attackers to send requests to the plugin\'s AJAX endpoint and obtain valid Zoom SDK signatures for any meeting ID.'}, {'type': 'paragraph', 'content': "Specifically, attackers can send unauthenticated POST requests with arbitrary Zoom meeting IDs to the endpoint wp-admin/admin-ajax.php using the action get_auth. The plugin then returns a JSON response containing a valid SDK signature and the site's Zoom SDK key without requiring any authentication."}, {'type': 'paragraph', 'content': 'This vulnerability is classified as an authentication bypass and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management. It corresponds to CWE-287 (Improper Authentication).'}] [1]
How can this vulnerability impact me? :
This vulnerability can have significant security impacts because attackers can generate valid Zoom SDK signatures for any meeting ID without authentication.
With these signatures and the exposed Zoom SDK key, attackers might gain unauthorized access to Zoom meetings integrated via the plugin or manipulate meeting sessions.
Such unauthorized access could lead to privacy breaches, disruption of meetings, or exposure of sensitive information shared during those meetings.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending an unauthenticated POST request to the WordPress AJAX handler endpoint to check if the Zoom SDK key and signature are exposed.'}, {'type': 'paragraph', 'content': 'A suggested command to test for this vulnerability is:'}, {'type': 'list_item', 'content': 'curl -s -X POST "http://example.com/wp-admin/admin-ajax.php" -d "action=get_auth&meeting_id=123456789"'}, {'type': 'paragraph', 'content': 'If the plugin is vulnerable and the Zoom SDK key is configured, the response will be a JSON object containing a valid SDK signature and the exposed SDK key.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Video Conferencing with Zoom WordPress plugin to version 4.6.6 or later, where the nonce verification issue has been fixed.
Until the update can be applied, consider restricting access to the AJAX handler endpoint or disabling the plugin if possible to prevent exploitation.