CVE-2026-1368 is a vulnerability classified under CWE-287 (Improper Authentication) found in the Video Conferencing with Zoom WordPress plugin prior to version 4.6.6. The root cause is that an AJAX handler responsible for generating Zoom SDK signatures has its nonce verification mechanism commented out, effectively disabling a critical authentication step. Nonces in WordPress are used to protect against CSRF and ensure that requests come from legitimate users. Without this verification, unauthenticated attackers can invoke the AJAX endpoint to generate valid Zoom SDK signatures for any meeting ID of their choosing. Additionally, attackers can retrieve the site's Zoom SDK key, which is a sensitive credential used to authenticate Zoom SDK requests. Possession of these credentials allows attackers to impersonate legitimate meetings, potentially joining or manipulating meetings without authorization, or creating forged meeting sessions that appear authentic. This undermines the confidentiality and integrity of video conferencing sessions. The vulnerability does not require user interaction or authentication, making exploitation straightforward for remote attackers. Although no public exploits have been reported yet, the presence of such a flaw in a widely used plugin poses a significant risk. The plugin is commonly used by organizations to embed Zoom meetings within WordPress sites, making the attack surface broad. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the technical details suggest a serious authentication bypass issue.

For European organizations, this vulnerability could lead to unauthorized access to internal or external video conferencing sessions, risking exposure of sensitive discussions, intellectual property, and personal data. Attackers could impersonate legitimate meetings or disrupt communications, impacting business continuity and trust. Organizations in sectors such as finance, healthcare, government, and education that rely heavily on Zoom integrated via WordPress are particularly vulnerable. The compromise of Zoom SDK keys could also facilitate further attacks on Zoom infrastructure or enable phishing campaigns using forged meeting invites. The breach of confidentiality and integrity could result in regulatory non-compliance under GDPR, leading to legal and financial penalties. Additionally, reputational damage from leaked or manipulated meetings could be severe. The ease of exploitation without authentication increases the likelihood of opportunistic attacks, especially in environments where patching is delayed.

Immediate mitigation involves updating the Video Conferencing with Zoom WordPress plugin to version 4.6.6 or later, where nonce verification is restored. If an update is not yet available, site administrators should implement custom nonce verification in the AJAX handler to ensure only authenticated requests can generate Zoom SDK signatures. Restricting access to the AJAX endpoint via web application firewall (WAF) rules or IP whitelisting can reduce exposure. Monitoring logs for unusual AJAX requests related to Zoom SDK signature generation can help detect exploitation attempts. Organizations should also rotate Zoom SDK keys if compromise is suspected. Educating site administrators on the importance of timely plugin updates and secure coding practices is critical. Finally, consider isolating Zoom integration components and limiting their permissions to minimize impact if compromised.