Cross-Site Request Forgery Vulnerability in GoodMeet Plugin for WordPress
CVE-2026-6440

4.3MEDIUM

What is CVE-2026-6440?

The GoodMeet plugin for WordPress, which enables Google Meet integration for webinars and video conferences, contains a vulnerability that exposes it to Cross-Site Request Forgery (CSRF) attacks. In versions up to 1.1.8, the absence of nonce verification in the reset_credential() function allows unauthenticated attackers to trick administrators into executing malicious actions. Specifically, an attacker could reset critical Google Meet API credentials and OAuth tokens, disabling the integration through social engineering tactics. This highlights the importance of nonce validation in AJAX functions to safeguard against unauthorized actions.

Affected Version(s)

GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference 0 <= 1.1.8

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Legion Hunter
.