Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for HubSpot by HubSpot

    CVE-2026-57736 (GCVE-0-2026-57736)

    Vulnerability from nvd – Published: 2026-07-01 17:40 – Updated: 2026-07-01 17:59 X_Open Source
    VLAI
    Title
    WordPress HubSpot plugin <= 11.3.51 - Sensitive Data Exposure vulnerability
    Summary
    Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data. This issue affects HubSpot: from n/a through 11.3.51.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    HubSpot HubSpot Affected: n/a , ≤ 11.3.51 (custom)
    Create a notification for this product.
    Credits
    Jakub Herman | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T17:58:30.495235Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T17:59:06.101Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "leadin",
              "product": "HubSpot",
              "vendor": "HubSpot",
              "versions": [
                {
                  "lessThanOrEqual": "11.3.51",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Jakub Herman | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects HubSpot: from n/a through 11.3.51.\u003c/p\u003e"
                }
              ],
              "value": "Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data.\n\nThis issue affects HubSpot: from n/a through 11.3.51."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:40:57.023Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/leadin/vulnerability/wordpress-hubspot-plugin-11-3-51-sensitive-data-exposure-vulnerability?_s_id=cve"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "WordPress HubSpot plugin \u003c= 11.3.51 - Sensitive Data Exposure vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-57736",
        "datePublished": "2026-07-01T17:40:57.023Z",
        "dateReserved": "2026-06-25T08:04:20.945Z",
        "dateUpdated": "2026-07-01T17:59:06.101Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5879 (GCVE-0-2024-5879)

    Vulnerability from nvd – Published: 2024-08-30 04:29 – Updated: 2026-04-08 17:14
    VLAI
    Title
    HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget
    Summary
    The HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5879",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-30T14:00:45.894393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-30T14:05:55.285Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
              "vendor": "hubspotdev",
              "versions": [
                {
                  "lessThanOrEqual": "11.1.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027url\u0027 attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:14:46.249Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac004fb0-e178-4e9b-9aa3-b14eab43f22d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.1.13/public/admin/widgets/class-elementormeeting.php#L108"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3123662/leadin/trunk/public/admin/widgets/class-elementormeeting.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-29T15:39:03.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics \u003c= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5879",
        "datePublished": "2024-08-30T04:29:57.206Z",
        "dateReserved": "2024-06-11T16:52:39.130Z",
        "dateUpdated": "2026-04-08T17:14:46.249Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-1239 (GCVE-0-2022-1239)

    Vulnerability from nvd – Published: 2022-05-02 16:05 – Updated: 2024-08-02 23:55
    VLAI
    Title
    HubSpot < 8.8.15 - Contributor+ Blind SSRF
    Summary
    The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks
    Severity
    No CVSS data available.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Credits
    Brandon Roldan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:55:24.529Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "8.8.15",
                  "status": "affected",
                  "version": "8.8.15",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Brandon Roldan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-02T16:05:49.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "HubSpot \u003c 8.8.15 - Contributor+ Blind SSRF",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-1239",
              "STATE": "PUBLIC",
              "TITLE": "HubSpot \u003c 8.8.15 - Contributor+ Blind SSRF"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "8.8.15",
                                "version_value": "8.8.15"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Brandon Roldan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-918 Server-Side Request Forgery (SSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-1239",
        "datePublished": "2022-05-02T16:05:49.000Z",
        "dateReserved": "2022-04-05T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:55:24.529Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-57736 (GCVE-0-2026-57736)

    Vulnerability from cvelistv5 – Published: 2026-07-01 17:40 – Updated: 2026-07-01 17:59 X_Open Source
    VLAI
    Title
    WordPress HubSpot plugin <= 11.3.51 - Sensitive Data Exposure vulnerability
    Summary
    Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data. This issue affects HubSpot: from n/a through 11.3.51.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-201 - Insertion of Sensitive Information Into Sent Data
    Assigner
    References
    Impacted products
    Vendor Product Version
    HubSpot HubSpot Affected: n/a , ≤ 11.3.51 (custom)
    Create a notification for this product.
    Credits
    Jakub Herman | Patchstack Bug Bounty Program
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T17:58:30.495235Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T17:59:06.101Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "leadin",
              "product": "HubSpot",
              "vendor": "HubSpot",
              "versions": [
                {
                  "lessThanOrEqual": "11.3.51",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Jakub Herman | Patchstack Bug Bounty Program"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects HubSpot: from n/a through 11.3.51.\u003c/p\u003e"
                }
              ],
              "value": "Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data.\n\nThis issue affects HubSpot: from n/a through 11.3.51."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201 Insertion of Sensitive Information Into Sent Data",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T17:40:57.023Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/wordpress/plugin/leadin/vulnerability/wordpress-hubspot-plugin-11-3-51-sensitive-data-exposure-vulnerability?_s_id=cve"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "tags": [
            "x_open-source"
          ],
          "title": "WordPress HubSpot plugin \u003c= 11.3.51 - Sensitive Data Exposure vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2026-57736",
        "datePublished": "2026-07-01T17:40:57.023Z",
        "dateReserved": "2026-06-25T08:04:20.945Z",
        "dateUpdated": "2026-07-01T17:59:06.101Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-5879 (GCVE-0-2024-5879)

    Vulnerability from cvelistv5 – Published: 2024-08-30 04:29 – Updated: 2026-04-08 17:14
    VLAI
    Title
    HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget
    Summary
    The HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    wesley
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-5879",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-30T14:00:45.894393Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-30T14:05:55.285Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
              "vendor": "hubspotdev",
              "versions": [
                {
                  "lessThanOrEqual": "11.1.22",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "wesley"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027url\u0027 attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:14:46.249Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac004fb0-e178-4e9b-9aa3-b14eab43f22d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.1.13/public/admin/widgets/class-elementormeeting.php#L108"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3123662/leadin/trunk/public/admin/widgets/class-elementormeeting.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-08-29T15:39:03.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics \u003c= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-5879",
        "datePublished": "2024-08-30T04:29:57.206Z",
        "dateReserved": "2024-06-11T16:52:39.130Z",
        "dateUpdated": "2026-04-08T17:14:46.249Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2022-1239 (GCVE-0-2022-1239)

    Vulnerability from cvelistv5 – Published: 2022-05-02 16:05 – Updated: 2024-08-02 23:55
    VLAI
    Title
    HubSpot < 8.8.15 - Contributor+ Blind SSRF
    Summary
    The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks
    Severity
    No CVSS data available.
    CWE
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    References
    Impacted products
    Credits
    Brandon Roldan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T23:55:24.529Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "8.8.15",
                  "status": "affected",
                  "version": "8.8.15",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Brandon Roldan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918 Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-05-02T16:05:49.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "HubSpot \u003c 8.8.15 - Contributor+ Blind SSRF",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2022-1239",
              "STATE": "PUBLIC",
              "TITLE": "HubSpot \u003c 8.8.15 - Contributor+ Blind SSRF"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "8.8.15",
                                "version_value": "8.8.15"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Brandon Roldan"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-918 Server-Side Request Forgery (SSRF)"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/4ad2bb96-87a4-4590-a058-b03b33d2fcee"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-1239",
        "datePublished": "2022-05-02T16:05:49.000Z",
        "dateReserved": "2022-04-05T00:00:00.000Z",
        "dateUpdated": "2024-08-02T23:55:24.529Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }