Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Scope changed to C because credential exposure enables access to Zoom (a separate system); no integrity or availability impact applies.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation.
AnalysisAI
Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.
Technical ContextAI
The plugin (CPE: cpe:2.3:a:j_3rk:video_conferencing_with_zoom:*:*:*:*:*:*:*:*) integrates WordPress sites with the Zoom Web SDK by storing a Zoom SDK API key and using it to issue signed JWTs (JSON Web Tokens) that authorize participants to join meetings. The root cause is CWE-862 (Missing Authorization): WordPress AJAX actions registered by the plugin - specifically in class-zvc-admin-ajax.php at line 183 and template-functions.php at line 558 - do not verify that the requesting user holds any WordPress capability before returning sensitive credential material. The Zoom SDK JWT signing flow is designed to be server-side and gated, but the plugin exposes this signing function without access control, effectively making the credential retrieval endpoint public. The API key, once disclosed, is persistent and does not expire on request, compounding the exposure beyond a single JWT issuance.
RemediationAI
Update the Video Conferencing with Zoom plugin immediately to the version released after 4.6.7 - a fix commit is confirmed in the plugin's WordPress SVN trunk (changeset 3565576 at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3565576%40video-conferencing-with-zoom-api&new=3565576%40video-conferencing-with-zoom-api), but the exact patched release version number has not been independently confirmed from available data; verify against the WordPress.org plugin page for the current version. If immediate upgrade is not possible, the most effective compensating control is to deactivate the plugin entirely until patching is feasible, which eliminates the exposed AJAX endpoints. As a secondary compensating control if deactivation is not an option, restrict access to WordPress AJAX endpoints (wp-admin/admin-ajax.php) to authenticated sessions only via web application firewall or server-level access controls - note this may break front-end functionality relying on unauthenticated AJAX. Additionally, rotate the Zoom SDK API key in the Zoom developer dashboard immediately, since any previously exposed key should be considered compromised regardless of patching.
More in Video Conferencing With Zoom
View allThe Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users A
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoo
Missing authorization in Deepen Bajracharya's Video Conferencing with Zoom WordPress plugin through version 4.6.6 allows
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded e
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37031
GHSA-6g6j-8675-mq6h