Description
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Analysis and contextual insights are available on OpenCVE Cloud.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 17 Jul 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hubspotdev
Hubspotdev hubspot All-in-one Marketing – Forms, Popups, Live Chat Wordpress Wordpress wordpress |
|
| Vendors & Products |
Hubspotdev
Hubspotdev hubspot All-in-one Marketing – Forms, Popups, Live Chat Wordpress Wordpress wordpress |
Fri, 17 Jul 2026 07:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path. | |
| Title | HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script | |
| Weaknesses | CWE-200 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-17T06:53:26.239Z
Reserved: 2026-05-26T20:23:14.339Z
Link: CVE-2026-9656
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-17T08:30:05Z
Weaknesses