CVE-2026-1368
Published: 18 February 2026
Summary
CVE-2026-1368 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The Video Conferencing with Zoom WordPress plugin before version 4.6.6 is affected by CVE-2026-1368, a vulnerability in an AJAX handler whose nonce verification has been commented out. This corresponds to CWE-287 and carries a CVSS 3.1 score of 7.5, reflecting network-accessible exploitation with no required authentication or user interaction that results in high confidentiality impact.
Unauthenticated remote attackers can invoke the handler to obtain valid Zoom SDK signatures for arbitrary meeting identifiers and to extract the site's Zoom SDK key, thereby gaining access to meeting resources that would otherwise be restricted.
The referenced WPScan advisory at https://wpscan.com/vulnerability/218e6655-c5aa-4bce-86b2-cad3bb20020c/ documents the flaw and indicates that the issue is resolved in plugin version 4.6.6 and later. The associated EPSS score has remained at 0.3292 with no material increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8067
Vulnerability details
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing nonce verification in public AJAX endpoint directly enables unauthenticated exploitation of a web-facing application (T1190) and retrieval of sensitive SDK credentials (T1552).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of flaws like the missing nonce verification in the plugin, directly enabling patching to version 4.6.6.
Mandates validation of inputs such as nonces on the AJAX handler, preventing unauthenticated attackers from generating valid signatures or retrieving the SDK key.
Enforces approved authorizations on AJAX endpoints to block unauthenticated access to sensitive functions like Zoom SDK signature generation.