CVE-2026-1368

HIGH NUCLEI

Zoom WordPress Plugin <4.6.6 - Auth Bypass

Title source: llm

Description

The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.

Nuclei Templates (1)

Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation

HIGHVERIFIEDby 0x_Akoko

FOFA: body="/wp-content/plugins/video-conferencing-with-zoom-api/"

References (1)

[Third Party Advisory] https://wpscan.com/vulnerability/218e6655-c5aa-4bce-86b2-cad3bb20020c/

Scores

CVSS v3 7.5

EPSS 0.3292

EPSS Percentile 96.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-287

Status published

Products (1)

Unknown/Video Conferencing with Zoom < 4.6.6

Published Feb 18, 2026

Tracked Since Feb 18, 2026