Back to overview

CVE-2026-9656

MEDIUM
4.3
CVSS 3.1
Description
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.

Metadata

CVE ID
CVE-2026-9656
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-05-26 20:23 UTC
Published
2026-07-17 06:53 UTC
Last updated
2026-07-17 06:53 UTC
Primary CWE
CWE-200
CWE-200 Exposure of Sensitive Information to an Unauthorized…
Vendor / Product
hubspotdev / HubSpot All-In-One Marketing – Forms, Popups, Live Chat
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
hubspotdev HubSpot All-In-One Marketing – Forms, Popups, Live Chat 0 ≤ 11.3.62
Weakness (CWE)
CWESourceDescription
CWE-200 cna CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Back to overview