CVE-2025-11760 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams, a WordPress plugin designed to facilitate webinar and meeting integrations. The vulnerability exists in all versions up to and including 1.5.6. The root cause is the exposure of Zoom SDK secret keys within client-side JavaScript embedded in the meeting view template. These secret keys, specifically the sdk_secret, are intended to remain confidential on the server side to secure the Zoom integration. However, due to improper handling, the secret is exposed in the client environment, making it accessible to any unauthenticated user who can view the page source or intercept the JavaScript. With access to the sdk_secret, attackers can generate valid JSON Web Token (JWT) signatures, which are used to authenticate and authorize access to Zoom meetings. This allows unauthorized actors to potentially join or manipulate meetings without permission. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level, with an attack vector of network (no physical or local access needed), low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality as the exposure of the secret key does not directly affect data integrity or availability. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights a common security misconfiguration where sensitive credentials are mistakenly exposed in client-side code, violating best practices for secret management in web applications.

For European organizations, this vulnerability poses a significant confidentiality risk, particularly for those that rely on the eRoom plugin to manage Zoom meetings. Unauthorized access to meetings can lead to information leakage, disruption of confidential communications, and potential exposure of sensitive business discussions or personal data. This risk is heightened in sectors such as finance, healthcare, legal, and government, where meeting confidentiality is critical. Although the vulnerability does not directly compromise data integrity or system availability, the unauthorized meeting access enabled by stolen SDK secrets can facilitate further social engineering or phishing attacks. Additionally, organizations may face reputational damage and regulatory penalties under GDPR if sensitive personal data is exposed during unauthorized meetings. The lack of known exploits in the wild suggests a window for proactive mitigation, but the ease of exploitation (no authentication or user interaction needed) means attackers could quickly leverage this vulnerability once discovered. The impact is more pronounced for organizations with high dependency on Zoom integrations and those that have not implemented compensating controls such as network segmentation or multi-factor authentication for meeting access.

To mitigate this vulnerability, organizations should immediately audit their use of the eRoom plugin and verify if they are running affected versions (up to 1.5.6). They should remove any Zoom SDK secret keys from client-side JavaScript and ensure all sensitive credentials are stored and processed exclusively on the server side. Until an official patch is released, consider disabling the plugin or restricting access to meeting pages via IP whitelisting or authentication gateways to reduce exposure. Monitor web traffic and logs for unusual access patterns or attempts to extract JavaScript secrets. Implement strict Content Security Policies (CSP) to limit script execution and reduce the risk of client-side data leakage. Once a patched version is available, promptly update the plugin. Additionally, review Zoom account security settings, rotate SDK secrets, and enforce strong authentication mechanisms for meeting access. Educate users and administrators about the risks of exposing secrets in client code and establish secure development practices to prevent similar issues in the future.