Description
The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access.
Published: 2025-10-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Sensitive Data Exposure
Action: Immediate Update
AI Analysis

Impact

The eRoom – Webinar & Meeting Plugin for WordPress contains a flaw that exposes Zoom SDK secret keys in client‑side JavaScript within the meeting view template. A malicious actor who can access a meeting page can read the embedded sdk_secret value, an element that should remain on the server. With this secret the attacker can forge valid JSON Web Tokens, enabling intrusion into any Zoom meeting linked to the plugin and compromising both confidentiality and integrity of the meeting content.

Affected Systems

This issue affects all installations of digitalmeactivecampaign’s eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams up to and including version 1.5.6. WordPress sites that have recent plugin versions but have not applied the fix are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium impact when measured against the exposed secret, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, indicating no known large‑scale active exploitation. Authenticated user privileges are not required; anyone who can reach the meeting page can potentially extract the key.

Generated by OpenCVE AI on April 22, 2026 at 21:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eRoom plugin to a version that no longer embeds the Zoom SDK secret in client‑side scripts.
  • If an update is not immediately available, edit the meeting_view.php template to remove or server‑side‑encode the sdk_secret variable so it is never sent to the browser.
  • Ensure that all Zoom integration keys are stored strictly on the server and only used in authenticated server‑side code, preventing accidental exposure in rendering templates.

Generated by OpenCVE AI on April 22, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpcenter
Wpcenter eroom
Vendors & Products Wordpress
Wordpress wordpress
Wpcenter
Wpcenter eroom

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 02:15:00 +0000

Type Values Removed Values Added
Description The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access.
Title eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams <= 1.5.6 - Unauthenticated Sensitive Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpcenter Eroom
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:54.332Z

Reserved: 2025-10-14T20:12:49.862Z

Link: CVE-2025-11760

cve-icon Vulnrichment

Updated: 2025-10-27T15:27:50.361Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T02:15:38.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T22:00:18Z

Weaknesses