Goodmeet Google Meet Integration For Webinar Meeting Video Conference
Monthly
Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.
Cross-Site Request Forgery in the GoodMeet WordPress plugin (versions up to and including 1.1.8) enables unauthenticated remote attackers to wipe a site's stored Google Meet API credentials and OAuth tokens by deceiving a logged-in administrator into triggering a crafted request. The vulnerable reset_credential() function handling the wp_ajax_goodmeet_reset_google_meet_credential AJAX action checks the manage_options capability but omits mandatory WordPress nonce validation, allowing any cross-origin request to be processed as legitimate. The practical outcome is complete disabling of the site's Google Meet integration with no data disclosure; no public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.