Description
The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.
Published: 2026-04-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The HubSpot All‑In‑One Marketing – Forms, Popups, Live Chat WordPress plugin allows attackers who are authenticated with Contributor or higher privileges to retrieve a list of all installed plugins and their versions. This missing authorization check can lead to sensitive information exposure, helping an attacker gather reconnaissance data for future attacks. The weakness is classified as CWE‑862.

Affected Systems

Vendors: HubSpot dev. Product: HubSpot All‑In‑One Marketing – Forms, Popups, Live Chat. Affected versions are all releases up to and including 11.3.32, which are used on WordPress sites that have the plugin installed.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating a moderate risk level, and an EPSS score of less than 1 percent, suggesting a low probability of current exploitation. It is not listed in the CISA KEV catalog. The attack requires authenticated access at the Contributor level, so only users who have been granted such permissions could exploit this weakness. Because the attacker can only read plugin information and not modify or execute code, the impact is limited to information disclosure and reconnaissance, not direct code execution or privilege escalation.

Generated by OpenCVE AI on April 28, 2026 at 06:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the HubSpot All‑In‑One Marketing plugin to version 11.3.33 or later, where the missing authorization check has been fixed.
  • If an immediate update is not possible, remove the plugin from the site to eliminate the vulnerability.
  • Restrict Contributor access or prune contributor‑level users until the patch can be applied to reduce the set of attackers who could exploit the issue.

Generated by OpenCVE AI on April 28, 2026 at 06:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Hubspotdev
Hubspotdev hubspot All-in-one Marketing – Forms, Popups, Live Chat
Wordpress
Wordpress wordpress
Vendors & Products Hubspotdev
Hubspotdev hubspot All-in-one Marketing – Forms, Popups, Live Chat
Wordpress
Wordpress wordpress

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Description The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.
Title HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hubspotdev Hubspot All-in-one Marketing – Forms, Popups, Live Chat
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-24T18:17:28.206Z

Reserved: 2025-10-14T20:34:25.859Z

Link: CVE-2025-11762

cve-icon Vulnrichment

Updated: 2026-04-24T16:58:28.615Z

cve-icon NVD

Status : Deferred

Published: 2026-04-24T08:16:29.000

Modified: 2026-04-24T14:38:26.740

Link: CVE-2025-11762

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:18:07Z

Weaknesses