What the vulnerability does
01Description
The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access.
Explanation of Vulnerability in Simple Terms
02Summary
The eRoom plugin for Zoom, Google Meet, and Microsoft Teams exposes sensitive information to unauthenticated attackers over the network. An attacker can read data without needing to log in or interact with a user. The vulnerability affects all versions up to 1.5.6. Update to a version newer than 1.5.6 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Read sensitive information from the plugin without authentication.
Potential impact on your site
04Site Impact
Confidential data may be exposed to anyone on the internet who knows how to request it.
Conditions required to exploit
05Prerequisites
Network access only; no login or user interaction required.
Key dates
06Disclosure timeline
October 25, 2025
CVE published
April 8, 2026
Record updated