CVE-2026-6440
Received Received - Intake

Cross-Site Request Forgery in GoodMeet WordPress Plugin

Vulnerability report for CVE-2026-6440, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: Wordfence

Description

The GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a missing nonce verification in the reset_credential() function, which handles the wp_ajax_goodmeet_reset_google_meet_credential AJAX action. While the function does verify the user's capability (manage_options), it does not validate a nonce, making it susceptible to CSRF attacks. This makes it possible for unauthenticated attackers to trick a site administrator into clicking a malicious link that will reset (delete) the plugin's stored Google Meet API credentials (goodmeet_google_credentials) and OAuth tokens (goodmeet_google_token), effectively disabling the Google Meet integration on the site.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
goodmeet goodmeet to 1.1.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the GoodMeet – Google Meet Integration plugin for WordPress, specifically in versions up to and including 1.1.8. It is a Cross-Site Request Forgery (CSRF) issue caused by the absence of nonce verification in the reset_credential() function, which handles an AJAX action to reset Google Meet credentials.

Although the function checks if the user has the capability to manage options, it does not validate a nonce, which is a security token used to verify the legitimacy of requests. This flaw allows an attacker to trick a site administrator into clicking a malicious link that triggers the reset of the plugin's stored Google Meet API credentials and OAuth tokens.

As a result, the Google Meet integration on the affected WordPress site can be disabled without the administrator's consent.

Impact Analysis

This vulnerability can impact you by allowing an attacker to disable the Google Meet integration on your WordPress site without your permission.

Specifically, an attacker can trick an administrator into clicking a malicious link that resets and deletes the plugin's stored Google Meet API credentials and OAuth tokens.

This disruption could affect your ability to conduct webinars, meetings, or video conferences through the plugin, potentially causing operational interruptions.

Mitigation Strategies

To mitigate this vulnerability, you should update the GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress to a version later than 1.1.8 where the nonce verification issue is fixed.

Additionally, as a temporary measure, restrict access to the plugin's reset_credential() AJAX action to trusted users only and avoid clicking on suspicious links that could trigger the reset of Google Meet API credentials.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6440. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart