The flaw involves the insertion of sensitive information into data that is sent from the WordPress Integration for Contact Form 7 HubSpot plugin. When the plugin processes form submissions it can expose confidential data to the target HubSpot endpoint. The data leakage potentially compromises confidentiality and may allow an attacker to steal personally identifiable or business‑critical information. The vulnerability is categorized as CWE‑201 (Sensitive Data Exposure).

Affected are deployments of the CRM Perks: Integration for Contact Form 7 HubSpot plugin, version 1.4.3 and all earlier releases. The nature of the product is a WordPress plugin that forwards form data to HubSpot.

The CVSS base score of 5.4 indicates a moderate risk while the EPSS score of less than 1% suggests that exploitation attempts are expected to be very rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could submit specially crafted form data that triggers the plugin to send sensitive fields to HubSpot. No additional authentication or privilege escalation steps are described, so the attack surface is limited to sites that have the vulnerable plugin installed and have exposed contact forms. The overall threat remains moderate, but the low EPSS indicates that widespread exploitation is unlikely at present.