CVE-2025-11760 is a vulnerability in the eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams for WordPress that causes exposure of sensitive information (Zoom SDK secret keys) in client-side JavaScript within the meeting view template. This exposure allows unauthenticated attackers to extract the sdk_secret value, which should be kept server-side to maintain security. The compromised secret enables attackers to generate valid JWT signatures, undermining the security of Zoom meeting integrations and potentially allowing unauthorized access to meetings. The vulnerability affects all versions up to and including 1.5.6. The CVSS 3.1 base score is 5.3, reflecting medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No patch or official fix is currently documented.

The vulnerability allows unauthorized actors to obtain Zoom SDK secret keys by accessing client-side JavaScript, which should not be exposed. With these keys, attackers can generate valid JWT tokens, potentially enabling unauthorized access to Zoom meetings integrated via the plugin. This compromises the confidentiality of meeting access controls but does not directly impact integrity or availability. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the plugin to prevent exposure of sensitive keys. Avoid using affected versions of the plugin in production environments where Zoom meeting security is critical. Monitor vendor channels for updates or patches addressing this vulnerability.