Exploitation Summary
CVE-2026-1368 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.
Description
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.
Nuclei Templates (1)
Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation
HIGHVERIFIEDby 0x_Akoko
FOFA:
body="/wp-content/plugins/video-conferencing-with-zoom-api/"
References (1)
Core 1
Core References
Third Party Advisory exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/218e6655-c5aa-4bce-86b2-cad3bb20020c/
Scores
CVSS v3
7.5
EPSS
0.0121
EPSS Percentile
64.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (1)
Unknown/Video Conferencing with Zoom
< 4.6.6
Published
Feb 18, 2026
Tracked Since
Feb 18, 2026