Description
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Published: 2026-07-17
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Jul 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hubspotdev
Hubspotdev hubspot All-in-one Marketing – Forms, Popups, Live Chat
Wordpress
Wordpress wordpress
Vendors & Products Hubspotdev
Hubspotdev hubspot All-in-one Marketing – Forms, Popups, Live Chat
Wordpress
Wordpress wordpress

Fri, 17 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
Description The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Title HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Hubspotdev Hubspot All-in-one Marketing – Forms, Popups, Live Chat
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-17T06:53:26.239Z

Reserved: 2026-05-26T20:23:14.339Z

Link: CVE-2026-9656

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T08:30:05Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor