CVE-2026-6964
Description
The Video Conferencing with Zoom plugin for WordPress ≤4.6.7 fails to verify user authorization, allowing unauthenticated attackers to obtain Zoom SDK credentials and join any meeting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Video Conferencing with Zoom plugin for WordPress ≤4.6.7 fails to verify user authorization, allowing unauthenticated attackers to obtain Zoom SDK credentials and join any meeting.
Vulnerability
The Video Conferencing with Zoom plugin for WordPress versions up to and including 4.6.7 contains an authorization bypass vulnerability in the AJAX handlers. The plugin does not properly verify that a user is authorized to perform actions that expose sensitive credentials. Specifically, the vczapi_state and mtg_data localizations in template-functions.php [1][2][3] and the AJAX endpoints in class-zvc-admin-ajax.php [4] lack proper capability checks, allowing unauthenticated access to the site's Zoom SDK API key and a freshly-signed JWT.
Exploitation
An unauthenticated attacker can send crafted requests to the WordPress AJAX endpoints without any authentication or user interaction. By exploiting the missing authorization checks, the attacker retrieves the Zoom SDK API key and a JWT token that is valid for the Zoom Web SDK. The attacker does not need any special network position beyond being able to reach the WordPress site.
Impact
Successful exploitation enables the attacker to use the obtained Zoom SDK API key and JWT to join any Zoom meeting associated with the site's Zoom credentials without a legitimate invitation. This leads to unauthorized access to Zoom meetings, potentially exposing confidential discussions and meeting content. The attacker gains the ability to participate in meetings as if they were an authorized attendee.
Mitigation
The vendor has not yet released a patched version as of the publication date. Users should update to a fixed version once available. As a workaround, administrators can restrict access to the AJAX endpoints via web application firewall rules or disable the plugin until a patch is released. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog at this time.
- <?php echo ! empty( $zoom['api']->topic ) ? $zoom['api']->topic : 'Join Meeting'; ?>
- <?php echo ! empty( $zoom['api']->topic ) ? $zoom['api']->topic : 'Join Meeting'; ?>
- <?php echo ! empty( $zoom['api']->topic ) ? $zoom['api']->topic : 'Join Meeting'; ?>
- https://plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/trunk/includes/admin/class-zvc-admin-ajax.php#L183
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.6.7+ 1 more
- (no CPE)range: <=4.6.7
- (no CPE)range: <=4.6.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the join-via-browser template allows unauthenticated attackers to obtain the site's Zoom SDK API key and a signed JWT."
Attack vector
An unauthenticated attacker can trigger the join-via-browser flow by crafting a request with the `join` and `type` parameters (e.g., `?type=meeting&join=<encrypted_meeting_id>`) to any page that loads the plugin's template functions [ref_id=1]. The plugin does not check whether the requester is a legitimate participant or host before exposing the site's Zoom SDK API key and a freshly-signed JWT. This allows the attacker to use those credentials with the Zoom Web SDK to join any Zoom meeting associated with the site's Zoom account without a valid invitation. The attack is network-based, requires no authentication, and no user interaction.
Affected code
The vulnerability resides in the plugin's template-functions.php file, specifically in the `vczapi_get_single_or_zoom_template()` function and the join-via-browser template rendering logic. The plugin fails to verify that a user is authorized to access the Zoom SDK API key and generate a signed JWT, allowing unauthenticated attackers to obtain these credentials.
What the fix does
The patch in version 4.6.7 adds an authorization check (`vczapi_check_author()`) before rendering the join-via-browser template and exposing the SDK credentials. Specifically, the `vczapi_get_single_or_zoom_template()` function now verifies that the current user is the meeting author or has appropriate capabilities before proceeding with the join flow. This closes the authorization bypass by ensuring that only authenticated users with a legitimate relationship to the meeting can obtain the API key and JWT.
Preconditions
- configThe site must be running the Video Conferencing with Zoom plugin version 4.6.7 or earlier
- inputThe attacker must know or guess a valid encrypted meeting ID (the `join` parameter)
- authNo authentication or user interaction is required
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/tags/4.6.6/includes/admin/class-zvc-admin-ajax.phpnvd
- plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/tags/4.6.6/includes/template-functions.phpnvd
- plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/tags/4.6.7/includes/admin/class-zvc-admin-ajax.phpnvd
- plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/tags/4.6.7/includes/template-functions.phpnvd
- plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/trunk/includes/admin/class-zvc-admin-ajax.phpnvd
- plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/trunk/includes/template-functions.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/328a4d88-afa2-4305-a8e5-73e626e9f53fnvd
News mentions
0No linked articles in our index yet.