CVE-2025-11760 MEDIUM

CVE-2025-11760: eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams <= 1.5.6 - Unauthenticated Sensitive Information Exposure

Vendor Digitalmeactivecampaign
Product eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams
Weakness CWE-200 · Info exposure
Published October 25, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access.

Explanation of Vulnerability in Simple Terms

02Summary

The eRoom plugin for Zoom, Google Meet, and Microsoft Teams exposes sensitive information to unauthenticated attackers over the network. An attacker can read data without needing to log in or interact with a user. The vulnerability affects all versions up to 1.5.6. Update to a version newer than 1.5.6 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the plugin without authentication.

Potential impact on your site

04Site Impact

Confidential data may be exposed to anyone on the internet who knows how to request it.

Conditions required to exploit

05Prerequisites

Network access only; no login or user interaction required.

Key dates

06Disclosure timeline

October 25, 2025 CVE published
April 8, 2026 Record updated