Description
The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/91c44c45-994b-4aed-b9f9-7db45924eeb4
Patch, Third Party Advisory x_refsource_confirm
https://plugins.trac.wordpress.org/changeset/2671219
Scores
CVSS v3
4.3
EPSS
0.0099
EPSS Percentile
58.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
imdpen/video_conferencing_with_zoom
< 3.8.17
Published
Mar 07, 2022
Tracked Since
Feb 18, 2026