CVE-2026-1368 (GCVE-0-2026-1368)
Vulnerability from cvelistv5 – Published: 2026-02-18 06:00 – Updated: 2026-02-18 06:00
VLAI?
Title
Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation
Summary
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.
Severity ?
No CVSS data available.
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Video Conferencing with Zoom |
Affected:
0 , < 4.6.6
(semver)
|
Credits
yiğit ibrahim sağlam
WPScan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Video Conferencing with Zoom",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.6.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "yi\u011fit ibrahim sa\u011flam"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site\u0027s Zoom SDK key."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T06:00:09.953Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/218e6655-c5aa-4bce-86b2-cad3bb20020c/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Video Conferencing with Zoom API \u003c 4.6.6 - Unauthenticated SDK Signature Generation",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2026-1368",
"datePublished": "2026-02-18T06:00:09.953Z",
"dateReserved": "2026-01-23T13:19:23.260Z",
"dateUpdated": "2026-02-18T06:00:09.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-1368\",\"sourceIdentifier\":\"contact@wpscan.com\",\"published\":\"2026-02-18T06:16:34.327\",\"lastModified\":\"2026-02-18T06:16:34.327\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site\u0027s Zoom SDK key.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://wpscan.com/vulnerability/218e6655-c5aa-4bce-86b2-cad3bb20020c/\",\"source\":\"contact@wpscan.com\"}]}}"
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…