CVE-2023-3947 — Use of Hard-coded Cryptographic Key in 3RK Video Conferencing With Zoom

CWE-321 — Use of Hard-coded Cryptographic Key3 documents3 sources

Severity

5.3MEDIUMNVD

CNA3.7

EPSS

0.2%

top 56.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

J 3RK Video Conferencing With Zoom Imdpen Video Conferencing With Zoom

Timeline

PublishedJul 26

Description

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5j_3rk/video_conferencing_with_zoom4.2.1

▶NVDimdpen/video_conferencing_with_zoom4.2.1

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Video Conferencing with Zoom <= 4.2.1 - Sensitive Information Exposure↗2023-07-26

▶

GHSA

GHSA-66rr-38w2-26rv: The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_e↗2023-07-26

▶