CVE-2026-1368

Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation

CVSS 7.5 HIGHEPSS 1.2%CWE-287

Vexday Risk Score

36Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.5EPSS 1.2%KEV nãoPoC —Nuclei simMetasploit —Patch —

Lifecycle

18 Feb 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

Unknown · Video Conferencing with Zoom

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://wpscan.com/vulnerability/218e6655-c5aa-4bce-86b2-cad3bb20020c/