Search
Find a vulnerability
Search criteria
6 vulnerabilities by hubspotdev
CVE-2026-9656 (GCVE-0-2026-9656)
Vulnerability from nvd – Published: 2026-07-17 06:53 – Updated: 2026-07-17 06:53
VLAI
EPSS
VEX
Title
HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script
Summary
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat |
Affected:
0 , ≤ 11.3.62
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
"vendor": "hubspotdev",
"versions": [
{
"lessThanOrEqual": "11.3.62",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anhcd05"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site\u0027s plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T06:53:26.239Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/718d7ea3-d8ba-46a0-9ab1-72657bd82c17?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-adminconstants.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/auth/class-oauth.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-gutenberg.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/class-assetsmanager.php#L150"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fleadin/tags/11.3.62\u0026new_path=%2Fleadin/tags/11.3.64"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-16T17:50:07.000Z",
"value": "Disclosed"
}
],
"title": "HubSpot All-In-One Marketing \u003c= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9656",
"datePublished": "2026-07-17T06:53:26.239Z",
"dateReserved": "2026-05-26T20:23:14.339Z",
"dateUpdated": "2026-07-17T06:53:26.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11762 (GCVE-0-2025-11762)
Vulnerability from nvd – Published: 2026-04-24 07:45 – Updated: 2026-04-24 18:17
VLAI
EPSS
VEX
Title
HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure
Summary
The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat |
Affected:
0 , ≤ 11.3.32
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:58:21.740873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:17:28.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
"vendor": "hubspotdev",
"versions": [
{
"lessThanOrEqual": "11.3.32",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T07:45:06.751Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve"
},
{
"url": "https://research.cleantalk.org/CVE-2025-11762"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-23T19:19:31.000Z",
"value": "Disclosed"
}
],
"title": "HubSpot All-In-One Marketing - Forms, Popups, Live Chat \u003c= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11762",
"datePublished": "2026-04-24T07:45:06.751Z",
"dateReserved": "2025-10-14T20:34:25.859Z",
"dateUpdated": "2026-04-24T18:17:28.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5879 (GCVE-0-2024-5879)
Vulnerability from nvd – Published: 2024-08-30 04:29 – Updated: 2026-04-08 17:14
VLAI
EPSS
VEX
Title
HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget
Summary
The HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat |
Affected:
0 , ≤ 11.1.22
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:00:45.894393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:05:55.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
"vendor": "hubspotdev",
"versions": [
{
"lessThanOrEqual": "11.1.22",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027url\u0027 attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:46.249Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac004fb0-e178-4e9b-9aa3-b14eab43f22d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.1.13/public/admin/widgets/class-elementormeeting.php#L108"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3123662/leadin/trunk/public/admin/widgets/class-elementormeeting.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-29T15:39:03.000Z",
"value": "Disclosed"
}
],
"title": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics \u003c= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5879",
"datePublished": "2024-08-30T04:29:57.206Z",
"dateReserved": "2024-06-11T16:52:39.130Z",
"dateUpdated": "2026-04-08T17:14:46.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9656 (GCVE-0-2026-9656)
Vulnerability from cvelistv5 – Published: 2026-07-17 06:53 – Updated: 2026-07-17 06:53
VLAI
EPSS
VEX
Title
HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script
Summary
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat |
Affected:
0 , ≤ 11.3.62
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
"vendor": "hubspotdev",
"versions": [
{
"lessThanOrEqual": "11.3.62",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anhcd05"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site\u0027s plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T06:53:26.239Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/718d7ea3-d8ba-46a0-9ab1-72657bd82c17?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-adminconstants.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/auth/class-oauth.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-gutenberg.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/class-assetsmanager.php#L150"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fleadin/tags/11.3.62\u0026new_path=%2Fleadin/tags/11.3.64"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-16T17:50:07.000Z",
"value": "Disclosed"
}
],
"title": "HubSpot All-In-One Marketing \u003c= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9656",
"datePublished": "2026-07-17T06:53:26.239Z",
"dateReserved": "2026-05-26T20:23:14.339Z",
"dateUpdated": "2026-07-17T06:53:26.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11762 (GCVE-0-2025-11762)
Vulnerability from cvelistv5 – Published: 2026-04-24 07:45 – Updated: 2026-04-24 18:17
VLAI
EPSS
VEX
Title
HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure
Summary
The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat |
Affected:
0 , ≤ 11.3.32
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11762",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:58:21.740873Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:17:28.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
"vendor": "hubspotdev",
"versions": [
{
"lessThanOrEqual": "11.3.32",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T07:45:06.751Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve"
},
{
"url": "https://research.cleantalk.org/CVE-2025-11762"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-23T19:19:31.000Z",
"value": "Disclosed"
}
],
"title": "HubSpot All-In-One Marketing - Forms, Popups, Live Chat \u003c= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11762",
"datePublished": "2026-04-24T07:45:06.751Z",
"dateReserved": "2025-10-14T20:34:25.859Z",
"dateUpdated": "2026-04-24T18:17:28.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5879 (GCVE-0-2024-5879)
Vulnerability from cvelistv5 – Published: 2024-08-30 04:29 – Updated: 2026-04-08 17:14
VLAI
EPSS
VEX
Title
HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget
Summary
The HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat |
Affected:
0 , ≤ 11.1.22
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5879",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-30T14:00:45.894393Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-30T14:05:55.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
"vendor": "hubspotdev",
"versions": [
{
"lessThanOrEqual": "11.1.22",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027url\u0027 attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:14:46.249Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac004fb0-e178-4e9b-9aa3-b14eab43f22d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.1.13/public/admin/widgets/class-elementormeeting.php#L108"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3123662/leadin/trunk/public/admin/widgets/class-elementormeeting.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-08-29T15:39:03.000Z",
"value": "Disclosed"
}
],
"title": "HubSpot \u2013 CRM, Email Marketing, Live Chat, Forms \u0026 Analytics \u003c= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5879",
"datePublished": "2024-08-30T04:29:57.206Z",
"dateReserved": "2024-06-11T16:52:39.130Z",
"dateUpdated": "2026-04-08T17:14:46.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}