CVE-2026-6440 in GoodMeet Plugin
Summary
by MITRE • 07/10/2026
The GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a missing nonce verification in the reset_credential() function, which handles the wp_ajax_goodmeet_reset_google_meet_credential AJAX action. While the function does verify the user's capability (manage_options), it does not validate a nonce, making it susceptible to CSRF attacks. This makes it possible for unauthenticated attackers to trick a site administrator into clicking a malicious link that will reset (delete) the plugin's stored Google Meet API credentials (goodmeet_google_credentials) and OAuth tokens (goodmeet_google_token), effectively disabling the Google Meet integration on the site.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in the GoodMeet WordPress plugin represents a critical cross-site request forgery weakness that undermines the security of webinars and video conferencing integrations. This issue affects versions up to and including 1.1.8, where the reset_credential() function fails to implement proper nonce verification during the wp_ajax_goodmeet_reset_google_meet_credential AJAX action. The flaw exists despite the function performing user capability checks through manage_options verification, which provides insufficient protection against unauthorized operations. The absence of nonce validation creates a pathway for attackers to exploit the plugin's administrative functions without proper authentication.
The technical exploitation of this vulnerability occurs when unauthenticated attackers craft malicious links that, when clicked by authenticated administrators, trigger the credential reset functionality. This specific flaw falls under CWE-352, which categorizes cross-site request forgery vulnerabilities as those that permit unauthorized commands from a user who is authenticated to a web application. The attack vector leverages the trust relationship between the administrator's browser and the WordPress site, bypassing the need for actual authentication credentials. The vulnerability enables complete disruption of Google Meet integration services by deleting stored API credentials and OAuth tokens, effectively rendering the plugin inoperative.
The operational impact of this CSRF vulnerability extends beyond simple service disruption to encompass potential data integrity compromises and unauthorized administrative actions within the WordPress environment. When administrators click malicious links, they unknowingly execute administrative functions that remove critical authentication tokens necessary for Google Meet integration. This attack scenario represents a significant threat to organizations relying on webinar and meeting functionalities, as it can lead to complete service interruption without requiring any sophisticated exploitation techniques. The attack requires only social engineering to convince administrators to click malicious links, making it particularly dangerous in enterprise environments where administrator privileges are common.
Security mitigations for this vulnerability should focus on implementing proper nonce validation mechanisms within the reset_credential() function to ensure that all administrative AJAX actions require valid cryptographic tokens. Organizations should immediately update to patched versions of the GoodMeet plugin when available, as the vendor has likely addressed this issue through nonce implementation. The solution aligns with ATT&CK technique T1078.004 which addresses legitimate credentials and privilege escalation through manipulation of authentication tokens. Additional defensive measures include network monitoring for unusual AJAX requests targeting the specific wp_ajax_goodmeet_reset_google_meet_credential endpoint and implementing Content Security Policy headers to limit cross-origin resource sharing that could facilitate CSRF attacks. Regular security audits of WordPress plugins should verify nonce implementation across all administrative functions, particularly those handling sensitive credential operations.
This vulnerability demonstrates the critical importance of proper input validation and authentication mechanisms in web applications, specifically within plugin architectures that handle third-party service integrations. The attack scenario highlights how seemingly minor oversights in nonce verification can create significant security risks, particularly when dealing with administrative functions that manipulate core application credentials. Organizations must prioritize comprehensive security reviews of their WordPress installations, focusing on AJAX endpoint validation and proper authentication token implementation to prevent similar vulnerabilities from compromising operational continuity and service availability.