Skip to main content

Video Conferencing with Zoom CVE-2026-6964

| EUVDEUVD-2026-37031 MEDIUM
Missing Authorization (CWE-862)
2026-06-16 Wordfence GHSA-6g6j-8675-mq6h
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.8 MEDIUM

Scope changed to C because credential exposure enables access to Zoom (a separate system); no integrity or availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 04:31 vuln.today
CVE Published
Jun 16, 2026 - 03:30 nvd
MEDIUM 5.3

DescriptionNVD

The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation.

AnalysisAI

Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.

Technical ContextAI

The plugin (CPE: cpe:2.3:a:j_3rk:video_conferencing_with_zoom:*:*:*:*:*:*:*:*) integrates WordPress sites with the Zoom Web SDK by storing a Zoom SDK API key and using it to issue signed JWTs (JSON Web Tokens) that authorize participants to join meetings. The root cause is CWE-862 (Missing Authorization): WordPress AJAX actions registered by the plugin - specifically in class-zvc-admin-ajax.php at line 183 and template-functions.php at line 558 - do not verify that the requesting user holds any WordPress capability before returning sensitive credential material. The Zoom SDK JWT signing flow is designed to be server-side and gated, but the plugin exposes this signing function without access control, effectively making the credential retrieval endpoint public. The API key, once disclosed, is persistent and does not expire on request, compounding the exposure beyond a single JWT issuance.

RemediationAI

Update the Video Conferencing with Zoom plugin immediately to the version released after 4.6.7 - a fix commit is confirmed in the plugin's WordPress SVN trunk (changeset 3565576 at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3565576%40video-conferencing-with-zoom-api&new=3565576%40video-conferencing-with-zoom-api), but the exact patched release version number has not been independently confirmed from available data; verify against the WordPress.org plugin page for the current version. If immediate upgrade is not possible, the most effective compensating control is to deactivate the plugin entirely until patching is feasible, which eliminates the exposed AJAX endpoints. As a secondary compensating control if deactivation is not an option, restrict access to WordPress AJAX endpoints (wp-admin/admin-ajax.php) to authenticated sessions only via web application firewall or server-level access controls - note this may break front-end functionality relying on unauthenticated AJAX. Additionally, rotate the Zoom SDK API key in the Zoom developer dashboard immediately, since any previously exposed key should be considered compromised regardless of patching.

Share

CVE-2026-6964 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy