CVE-2026-1368
Received Received - Intake
Broken Nonce Verification in Zoom WordPress Plugin Enables Key Exposure

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: WPScan

Description
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1368
EUVD
EUVD-2026-8067
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zoom video_conferencing_with_zoom_api to 4.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-1368 is a vulnerability in the WordPress plugin "Video Conferencing with Zoom API" versions before 4.6.6. The issue arises because an AJAX handler in the plugin has its nonce verification disabled (commented out). This flaw allows unauthenticated attackers to send requests to the plugin\'s AJAX endpoint and obtain valid Zoom SDK signatures for any meeting ID.'}, {'type': 'paragraph', 'content': "Specifically, attackers can send unauthenticated POST requests with arbitrary Zoom meeting IDs to the endpoint wp-admin/admin-ajax.php using the action get_auth. The plugin then returns a JSON response containing a valid SDK signature and the site's Zoom SDK key without requiring any authentication."}, {'type': 'paragraph', 'content': 'This vulnerability is classified as an authentication bypass and falls under the OWASP Top 10 category A2: Broken Authentication and Session Management. It corresponds to CWE-287 (Improper Authentication).'}] [1]

Impact Analysis

This vulnerability can have significant security impacts because attackers can generate valid Zoom SDK signatures for any meeting ID without authentication.

With these signatures and the exposed Zoom SDK key, attackers might gain unauthorized access to Zoom meetings integrated via the plugin or manipulate meeting sessions.

Such unauthorized access could lead to privacy breaches, disruption of meetings, or exposure of sensitive information shared during those meetings.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending an unauthenticated POST request to the WordPress AJAX handler endpoint to check if the Zoom SDK key and signature are exposed.'}, {'type': 'paragraph', 'content': 'A suggested command to test for this vulnerability is:'}, {'type': 'list_item', 'content': 'curl -s -X POST "http://example.com/wp-admin/admin-ajax.php" -d "action=get_auth&meeting_id=123456789"'}, {'type': 'paragraph', 'content': 'If the plugin is vulnerable and the Zoom SDK key is configured, the response will be a JSON object containing a valid SDK signature and the exposed SDK key.'}] [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Video Conferencing with Zoom WordPress plugin to version 4.6.6 or later, where the nonce verification issue has been fixed.

Until the update can be applied, consider restricting access to the AJAX handler endpoint or disabling the plugin if possible to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart