Skip to main content

GoodMeet CVE-2026-6440

| EUVDEUVD-2026-42848 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-10 Wordfence GHSA-mvg8-4w53-3c5g
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network CSRF requiring admin interaction; availability rated Low because credential deletion fully disables plugin functionality until manually restored.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 09:27 vuln.today
CVE Published
Jul 10, 2026 - 07:48 nvd
MEDIUM 4.3

DescriptionCVE.org

The GoodMeet - Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a missing nonce verification in the reset_credential() function, which handles the wp_ajax_goodmeet_reset_google_meet_credential AJAX action. While the function does verify the user's capability (manage_options), it does not validate a nonce, making it susceptible to CSRF attacks. This makes it possible for unauthenticated attackers to trick a site administrator into clicking a malicious link that will reset (delete) the plugin's stored Google Meet API credentials (goodmeet_google_credentials) and OAuth tokens (goodmeet_google_token), effectively disabling the Google Meet integration on the site.

AnalysisAI

Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify WordPress site running GoodMeet ≤ 1.1.8
Delivery
Craft hidden auto-submitting CSRF form targeting admin-ajax.php
Exploit
Deliver payload link to site administrator via phishing
Install
Admin visits page while authenticated to WordPress
C2
Browser sends forged request with admin session cookie
Execute
Plugin deletes OAuth tokens and Google Meet credentials
Impact
Google Meet integration disabled site-wide

Vulnerability AssessmentAI

Exploitation The GoodMeet plugin must be installed, activated, and previously configured with Google Meet API credentials (the goodmeet_google_credentials and goodmeet_google_token WordPress options must contain data) on a WordPress installation running version 1.1.8 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) accurately reflects the bounded impact of this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a webpage containing a hidden, auto-submitting HTML form that sends a POST request to the target WordPress site's admin-ajax.php endpoint with action=goodmeet_reset_google_meet_credential, then distributes the link to a site administrator via phishing email or social media. When the administrator loads the page in their browser while authenticated to the WordPress dashboard, their session cookie is automatically included in the cross-origin request, and without nonce validation the plugin deletes all stored Google Meet credentials and OAuth tokens, silently disabling the site's video conferencing integration.
Remediation A fix has been committed to the GoodMeet plugin repository, as confirmed by the SVN changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3525854%40goodmeet&new=3525854%40goodmeet; however, the specific patched release version number is not independently confirmed from available data and should be verified against the plugin's official WordPress.org changelog before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy