The vulnerability identified as CVE-2025-11760 affects the wpcenter eRoom – Webinar & Meeting Plugin for WordPress, which integrates Zoom, Google Meet, and Microsoft Teams functionalities. Specifically, in all versions up to 1.5.6, the plugin improperly exposes Zoom SDK secret keys within client-side JavaScript embedded in the meeting view template. These SDK secret keys (sdk_secret) are intended to remain confidential on the server side to prevent unauthorized use. However, due to this exposure, unauthenticated attackers can extract these secrets directly from the client-side code without any authentication or user interaction. With access to the sdk_secret, attackers can generate valid JSON Web Tokens (JWTs) that authenticate them as legitimate users or services, enabling unauthorized access to Zoom meetings. This compromises the confidentiality of meetings and potentially allows attackers to join, listen, or disrupt sessions. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS 3.1 base score of 5.3, reflecting a medium severity level. The attack vector is network-based with low complexity and no privileges or user interaction required. Although no public exploits have been reported yet, the risk remains significant due to the sensitive nature of the exposed credentials and the widespread use of the plugin in WordPress environments.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive Zoom SDK secret keys, which undermines the security of the Zoom integration within the affected plugin. Attackers leveraging these secrets can generate valid JWT tokens, granting them unauthorized access to Zoom meetings. This can lead to breaches of confidentiality, including eavesdropping on private meetings, data leakage, and potential disruption of business operations. Organizations relying on this plugin for secure webinar and meeting management face risks of reputational damage, compliance violations (especially if sensitive or regulated data is discussed in meetings), and operational interruptions. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the threat surface. The exposure also raises concerns about trust in the plugin’s security practices and may necessitate broader security reviews of third-party integrations. Although the vulnerability does not directly impact integrity or availability, the confidentiality breach alone can have severe consequences depending on the sensitivity of the meetings conducted.

To mitigate this vulnerability, organizations should immediately upgrade the eRoom plugin to a version where the Zoom SDK secret keys are no longer exposed client-side; if no patched version is available, temporarily disabling the plugin or the Zoom integration is advisable. Developers should refactor the plugin code to ensure that all sensitive credentials, especially sdk_secret values, remain strictly server-side and are never embedded in client-side JavaScript or exposed in any frontend templates. Implementing server-side token generation and validation for Zoom JWTs is critical to prevent unauthorized token creation. Additionally, organizations should rotate any exposed Zoom SDK secret keys to invalidate any potentially compromised credentials. Monitoring access logs for unusual JWT generation or meeting join activity can help detect exploitation attempts. Employing Web Application Firewalls (WAFs) to detect and block suspicious requests targeting the plugin’s meeting view endpoints may provide temporary protection. Finally, conducting a security audit of all third-party plugins and integrations to ensure no other sensitive information is exposed client-side is recommended.