CVE-2025-49919

MEDIUM
2025-12-18 [email protected]
Information Disclosure
5.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 18, 2025 - 08:15 nvd
MEDIUM 5.8

DescriptionNVD

Insertion of Sensitive Information Into Sent Data vulnerability in DigitalME eRoom eroom-zoom-meetings-webinar allows Retrieve Embedded Sensitive Data.This issue affects eRoom: from n/a through <= 1.5.6.

AnalysisAI

DigitalME eRoom eroom-zoom-meetings-webinar plugin through version 1.5.6 exposes sensitive data in sent communications due to improper data handling, allowing unauthenticated remote attackers with user interaction to retrieve embedded sensitive information across site boundaries. EPSS exploitation probability is low at 0.04%, but the vulnerability affects confidentiality, integrity, and availability through information disclosure mechanisms that may be chained with other flaws.

Technical ContextAI

The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a root cause class that occurs when applications transmit sensitive data (credentials, tokens, personal information) in unencrypted or inadequately protected channels or communications. In this case, the DigitalME eRoom plugin for WordPress-which integrates Zoom meeting and webinar functionality-fails to properly sanitize or encrypt sensitive data before sending it through HTTP responses or client-side data structures. The cross-site impact (S:C in CVSS) suggests the sensitive data exposure may traverse trust boundaries, potentially affecting multiple users or contexts. The requirement for user interaction (UI:R) indicates the attack requires social engineering or user interaction to retrieve the embedded data.

Affected ProductsAI

DigitalME eRoom eroom-zoom-meetings-webinar WordPress plugin versions 1.5.6 and earlier are affected. The plugin integrates Zoom meeting and webinar capabilities into WordPress sites. Full details and advisory are available via Patchstack's vulnerability database at https://patchstack.com/database/Wordpress/Plugin/eroom-zoom-meetings-webinar/vulnerability/wordpress-eroom-plugin-1-5-6-sensitive-data-exposure-vulnerability.

RemediationAI

Update the eRoom eroom-zoom-meetings-webinar plugin to the latest patched version above 1.5.6 immediately. Consult the Patchstack advisory and the official plugin repository for the specific patched version number and deployment instructions. As an interim workaround pending patch availability, restrict Zoom meeting webinar functionality to authenticated users only, disable the plugin if not actively used, and audit site logs for evidence of data extraction attempts. Review any sensitive data (API keys, user tokens, personal information) exposed through the plugin and rotate credentials if compromise is suspected.

Share

CVE-2025-49919 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy