CVE-2026-6964: CWE-862 Missing Authorization in j_3rk Video Conferencing with Zoom
The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation.
AI Analysis
Technical Summary
CVE-2026-6964 is an authorization bypass vulnerability in the j_3rk Video Conferencing with Zoom WordPress plugin. The plugin fails to properly verify user authorization before allowing certain actions, enabling unauthenticated attackers to retrieve sensitive credentials including the Zoom SDK API key and a freshly-signed JWT token. These credentials can then be used to join Zoom meetings without invitation. The vulnerability affects all versions up to and including 4.6.7. No official patch or remediation guidance has been published by the vendor as of the information provided.
Potential Impact
An attacker exploiting this vulnerability can obtain the Zoom SDK API key and a freshly-signed JWT token, allowing unauthorized access to Zoom meetings associated with the compromised credentials. This could lead to unauthorized meeting attendance and potential exposure of sensitive meeting content. The vulnerability does not impact integrity or availability according to the CVSS vector, but confidentiality is impacted at a low level.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the plugin settings and Zoom API credentials to trusted administrators only. Monitor for updates from the vendor and apply any official patches promptly once released.
CVE-2026-6964: CWE-862 Missing Authorization in j_3rk Video Conferencing with Zoom
Description
The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation.
CVSS v3.1
Score 5.3medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6964 is an authorization bypass vulnerability in the j_3rk Video Conferencing with Zoom WordPress plugin. The plugin fails to properly verify user authorization before allowing certain actions, enabling unauthenticated attackers to retrieve sensitive credentials including the Zoom SDK API key and a freshly-signed JWT token. These credentials can then be used to join Zoom meetings without invitation. The vulnerability affects all versions up to and including 4.6.7. No official patch or remediation guidance has been published by the vendor as of the information provided.
Potential Impact
An attacker exploiting this vulnerability can obtain the Zoom SDK API key and a freshly-signed JWT token, allowing unauthorized access to Zoom meetings associated with the compromised credentials. This could lead to unauthorized meeting attendance and potential exposure of sensitive meeting content. The vulnerability does not impact integrity or availability according to the CVSS vector, but confidentiality is impacted at a low level.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the plugin settings and Zoom API credentials to trusted administrators only. Monitor for updates from the vendor and apply any official patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-24T15:52:18.522Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a30cdd30b89be688835a3f2
Added to database: 6/16/2026, 4:15:15 AM
Last enriched: 6/16/2026, 4:30:10 AM
Last updated: 6/16/2026, 7:40:50 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.