Attack Vectors

CVE-2026-1368 affects the Video Conferencing with Zoom WordPress plugin (slug: video-conferencing-with-zoom-api) and is rated Medium severity (CVSS 5.3; CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). Because the issue can be exploited over the network and does not require a logged-in user, an unauthenticated attacker may be able to reach the vulnerable functionality remotely.

In practical terms, this type of exposure is especially relevant for public-facing sites where the plugin is active and accessible, including marketing websites that embed or manage Zoom-related meeting workflows.

Security Weakness

The vulnerability is caused by a missing capability (authorization) check on a plugin function in Video Conferencing with Zoom versions up to 4.6.6. Without that authorization enforcement, the plugin may allow an unauthenticated attacker to perform an action that should be restricted.

According to the published advisory, remediation is to update to version 4.6.6, or a newer patched version, as provided by the vendor and reflected in the source report.

Technical or Business Impacts

While the CVSS impact profile indicates integrity impact (I:L) rather than confidentiality or availability loss, unauthorized actions can still create meaningful business risk. Depending on how your site uses the plugin, this can translate into unwanted changes to Zoom-related configurations or workflows, which can disrupt marketing operations, event execution, or customer communications.

From a leadership and compliance standpoint, this type of access-control gap increases the risk of process breakdowns (events scheduled or modified incorrectly), brand damage (customers receiving incorrect meeting details), and audit findings (insufficient access controls). It is advisable to treat this as a time-sensitive maintenance item and confirm the site is running the patched plugin version.

Reference: CVE-2026-1368. Source advisory: Wordfence vulnerability entry.

Similar Attacks

Authorization and access-control weaknesses in WordPress plugins have been repeatedly exploited because they can allow remote, unauthenticated actions against business websites. A well-known example is CVE-2019-9978 (Social Warfare plugin), which highlighted how plugin-level authorization and input handling issues can expose sites to serious compromise.