CVE-2022-0384 in Video Conferencing with Zoom Plugin
Summary
by MITRE • 03/07/2022
The Video Conferencing with Zoom WordPress plugin before 3.8.17 does not have authorisation in its vczapi_get_wp_users AJAX action, allowing any authenticated users, such as subscriber to download the list of email addresses registered on the blog
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/09/2022
The vulnerability identified as CVE-2022-0384 affects the Video Conferencing with Zoom WordPress plugin, specifically versions prior to 3.8.17, presenting a critical authorization flaw that compromises user privacy and data security. This issue stems from the plugin's vczapi_get_wp_users AJAX action which fails to implement proper access controls, creating an unauthorized data exposure vector that can be exploited by any authenticated user within the WordPress environment.
The technical flaw manifests in the absence of role-based access control within the AJAX endpoint, allowing attackers with minimal privileges such as subscribers to execute the vczapi_get_wp_users action and obtain comprehensive lists of email addresses registered on the affected WordPress site. This represents a direct violation of the principle of least privilege and demonstrates poor input validation and access control implementation. The vulnerability is classified under CWE-284 which specifically addresses inadequate access control mechanisms, where the plugin fails to properly verify user permissions before exposing sensitive data through its API endpoint.
The operational impact of this vulnerability extends beyond simple data exposure, as the enumeration of user email addresses provides attackers with valuable intelligence for social engineering campaigns, credential stuffing attacks, and targeted phishing operations. The affected WordPress environment becomes vulnerable to various attack vectors including account takeover attempts, where the exposed email addresses can be used in conjunction with other leaked credentials from data breaches. This vulnerability directly aligns with ATT&CK technique T1566 which covers credential harvesting through social engineering, and T1589 which involves obtaining capabilities for unauthorized access to systems.
Organizations running affected versions of the Video Conferencing with Zoom plugin face significant security risks, as the vulnerability enables unauthorized data collection without requiring administrative privileges or specialized attack tools. The exposed email addresses represent a substantial privacy concern for users who may not expect their contact information to be accessible through a video conferencing plugin. Security teams must consider this vulnerability as part of their broader threat landscape assessment, particularly in environments where multiple user roles exist and where user privacy is a regulatory compliance requirement.
Mitigation strategies should prioritize immediate patching to version 3.8.17 or later, which addresses the authorization flaw through proper access control implementation. Additionally, administrators should review user roles and permissions to minimize the number of users with access to potentially sensitive plugin features, implement network-level restrictions on AJAX endpoints, and monitor for unusual access patterns or unauthorized data requests. The remediation process should also include security auditing of other plugin components to identify similar authorization flaws and ensure comprehensive protection against privilege escalation attacks that could compromise the entire WordPress installation.