Skip to main content

Video Conferencing With Zoom

5 CVEs product

Monthly

CVE-2026-6964 MEDIUM This Month

Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.

Authentication Bypass WordPress Video Conferencing With Zoom
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-39653 MEDIUM This Month

Missing authorization in Deepen Bajracharya's Video Conferencing with Zoom WordPress plugin through version 4.6.6 allows authenticated attackers to modify video conference data via broken access control. The plugin fails to properly validate whether users have permission to access or modify specific conference resources, enabling privilege escalation within the plugin's functionality. CVSS 4.3 reflects limited integrity impact; EPSS 0.02% (percentile 4%) suggests exploitation is unlikely in practice despite the authorization defect.

Authentication Bypass Video Conferencing With Zoom
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2024-2031 MEDIUM This Month

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, and including, 4.4.4. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Video Conferencing With Zoom
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2023-3947 LOW PATCH Monitor

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure WordPress Video Conferencing With Zoom
NVD VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2022-0384 MEDIUM POC PATCH This Month

The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Information Disclosure Video Conferencing With Zoom
NVD WPScan
CVSS 3.1
4.3
EPSS
1.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated access to Zoom SDK credentials is possible in the Video Conferencing with Zoom WordPress plugin (versions up to and including 4.6.7) due to missing authorization checks on AJAX endpoints. Any unauthenticated remote attacker can retrieve the site's Zoom SDK API key - a persistent, reusable secret - along with a freshly-signed JWT, enabling them to join any Zoom meeting associated with those credentials without a valid invitation. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, though the low attack complexity and zero authentication requirement make this straightforward to exploit.

Authentication Bypass WordPress Video Conferencing With Zoom
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing authorization in Deepen Bajracharya's Video Conferencing with Zoom WordPress plugin through version 4.6.6 allows authenticated attackers to modify video conference data via broken access control. The plugin fails to properly validate whether users have permission to access or modify specific conference resources, enabling privilege escalation within the plugin's functionality. CVSS 4.3 reflects limited integrity impact; EPSS 0.02% (percentile 4%) suggests exploitation is unlikely in practice despite the authorization defect.

Authentication Bypass Video Conferencing With Zoom
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, and including, 4.4.4. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS Video Conferencing With Zoom
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure WordPress Video Conferencing With Zoom
NVD VulDB
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

WordPress Information Disclosure Video Conferencing With Zoom
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy