CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3947 – Video Conferencing with Zoom <= 4.2.1 - Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2023-3947
The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password. El plugin Video Conferencing with Zoom para WordPress es vulnerable a la exposición de información sensible debido a que la clave de cifrado está codificada en la función "vczapi_encrypt_decrypt" en versiones hasta la v4.2.1 inclusive. Esto permite a atacantes no autenticados descifrar y ver el identificador y la contraseña de la reunión. • https://plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/tags/4.2.1/includes/helpers.php#L546 https://plugins.trac.wordpress.org/browser/video-conferencing-with-zoom-api/trunk/includes/Helpers/Encryption.php?rev=2942302 https://www.wordfence.com/threat-intel/vulnerabilities/id/ba2515d9-ced0-4b49-87c4-04c8391c2608?source=cve • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0384 – Video Conferencing with Zoom < 3.8.17 - E-mail Address Disclosure
https://notcve.org/view.php?id=CVE-2022-0384
The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog El plugin Video Conferencing with Zoom de WordPress versiones anteriores a 3.8.17, no presenta autorización en su acción AJAX vczapi_get_wp_users, permitiendo a cualquier usuario autenticado, como el suscriptor, descargar la lista de direcciones de correo electrónico registradas en el blog • https://plugins.trac.wordpress.org/changeset/2671219 https://wpscan.com/vulnerability/91c44c45-994b-4aed-b9f9-7db45924eeb4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •