Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
Missing Authorization vulnerability in Deepen Bajracharya Video Conferencing with Zoom video-conferencing-with-zoom-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Video Conferencing with Zoom: from n/a through <= 4.6.6.
AnalysisAI
Missing authorization in Deepen Bajracharya's Video Conferencing with Zoom WordPress plugin through version 4.6.6 allows authenticated attackers to modify video conference data via broken access control. The plugin fails to properly validate whether users have permission to access or modify specific conference resources, enabling privilege escalation within the plugin's functionality. CVSS 4.3 reflects limited integrity impact; EPSS 0.02% (percentile 4%) suggests exploitation is unlikely in practice despite the authorization defect.
Technical ContextAI
The vulnerability stems from CWE-862 (Missing Authorization), a foundational access control weakness where the application fails to enforce authorization checks before allowing resource modification. In this WordPress plugin context, the issue manifests as incorrectly configured access control security levels in the Zoom API integration layer. The plugin likely processes authenticated user requests to modify conference settings without verifying that the requesting user owns or has explicit permission to access the target conference resource. This is distinct from authentication (proving identity) - the user is authenticated but the plugin does not check what resources they should be allowed to access.
RemediationAI
Update the Video Conferencing with Zoom plugin to a patched version released after 4.6.6. Administrators should navigate to WordPress Dashboard > Plugins > Installed Plugins, locate 'Video Conferencing with Zoom,' and apply the latest available update. If a patched version is not yet available, restrict plugin access to trusted administrator roles only via WordPress user role management, and review access control rules in the plugin settings to ensure only authorized users can modify conference resources. Reference the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/video-conferencing-with-zoom-api/vulnerability/wordpress-video-conferencing-with-zoom-plugin-4-6-6-broken-access-control-vulnerability?_s_id=cve for the latest patch status and detailed remediation guidance.
More in Video Conferencing With Zoom
View allThe Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users A
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoo
Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (version
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded e
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20320
GHSA-ww9f-25j7-gx7q