PatchSiren cyber security CVE debrief
CVE-2026-6964 j_3rk CVE debrief
The Video Conferencing with Zoom plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.6.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to obtain the site's Zoom SDK API key and a freshly-signed JWT that can be used with the Zoom Web SDK to join any Zoom meeting associated with those credentials without a legitimate invitation.
- Vendor
- j_3rk
- Product
- Video Conferencing with Zoom
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of the Video Conferencing with Zoom plugin for WordPress, particularly those with versions up to and including 4.6.7, should be aware of this vulnerability and take necessary actions to protect their sites.
Technical summary
The vulnerability exists due to improper authorization checks in the plugin. Specifically, the plugin fails to verify if a user is authorized to perform certain actions, allowing unauthenticated attackers to access sensitive information.
Defensive priority
High
Recommended defensive actions
- Update the Video Conferencing with Zoom plugin to a version beyond 4.6.7.
- Review and restrict access to Zoom SDK API keys and JWTs.
- Monitor for suspicious activity related to Zoom meeting invitations and API usage.
Evidence notes
Evidence of this vulnerability includes reports from security researchers at Wordfence, who discovered and disclosed the issue.
Official resources
CVE-2026-6964 was published on 2026-06-16T04:17:26.917Z.