Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Network CSRF requiring admin interaction; availability rated Low because credential deletion fully disables plugin functionality until manually restored.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The GoodMeet - Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a missing nonce verification in the reset_credential() function, which handles the wp_ajax_goodmeet_reset_google_meet_credential AJAX action. While the function does verify the user's capability (manage_options), it does not validate a nonce, making it susceptible to CSRF attacks. This makes it possible for unauthenticated attackers to trick a site administrator into clicking a malicious link that will reset (delete) the plugin's stored Google Meet API credentials (goodmeet_google_credentials) and OAuth tokens (goodmeet_google_token), effectively disabling the Google Meet integration on the site.
AnalysisAI
Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The GoodMeet plugin must be installed, activated, and previously configured with Google Meet API credentials (the goodmeet_google_credentials and goodmeet_google_token WordPress options must contain data) on a WordPress installation running version 1.1.8 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.3 (Medium) accurately reflects the bounded impact of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a webpage containing a hidden, auto-submitting HTML form that sends a POST request to the target WordPress site's admin-ajax.php endpoint with action=goodmeet_reset_google_meet_credential, then distributes the link to a site administrator via phishing email or social media. When the administrator loads the page in their browser while authenticated to the WordPress dashboard, their session cookie is automatically included in the cross-origin request, and without nonce validation the plugin deletes all stored Google Meet credentials and OAuth tokens, silently disabling the site's video conferencing integration. |
| Remediation | A fix has been committed to the GoodMeet plugin repository, as confirmed by the SVN changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3525854%40goodmeet&new=3525854%40goodmeet; however, the specific patched release version number is not independently confirmed from available data and should be verified against the plugin's official WordPress.org changelog before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42848
GHSA-mvg8-4w53-3c5g