HubSpot All-In-One Marketing CVE-2025-11762

| EUVD-2025-209571 MEDIUM
Missing Authorization (CWE-862)
2026-04-24 Wordfence GHSA-rhxq-26gm-p3gp
Information Disclosure PHP WordPress Authentication Bypass
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 24, 2026 - 08:30 vuln.today

DescriptionNVD

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.

AnalysisAI

HubSpot All-In-One Marketing plugin for WordPress (versions up to 11.3.32) exposes sensitive information via the class-adminconstants.php file, allowing authenticated users with Contributor-level access or higher to retrieve a complete list of installed plugins and their versions. This information disclosure enables reconnaissance for follow-on attacks targeting vulnerable plugins, though exploitation requires valid WordPress authentication and contributor-level privileges.

Technical ContextAI

The vulnerability exists in the leadin/public/admin/class-adminconstants.php file within the HubSpot All-In-One Marketing plugin, a popular WordPress plugin for forms, popups, and live chat functionality. The root cause is classified as CWE-862 (Missing Authorization), indicating the plugin fails to properly restrict access to administrative information about installed plugins and versions. WordPress plugins typically store plugin metadata and version information in the wp-content/plugins directory and the options table, but this plugin appears to expose this data through an insufficiently protected administrative endpoint or method accessible to authenticated users below the admin role.

RemediationAI

Update HubSpot All-In-One Marketing plugin to version 11.3.33 or later immediately. This patch version is confirmed available in the WordPress plugin repository at https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php. As a temporary compensating control pending the upgrade, administrators should audit WordPress user roles and remove or downgrade any user accounts with Contributor-level access that do not require that permission level, reducing the pool of accounts able to exploit the vulnerability. Additionally, implement strict access controls via Web Application Firewall (WAF) rules to block direct access to the leadin/public/admin/ directory from non-administrative IP ranges, though this does not address the underlying vulnerability and should only supplement patching.

More from same product – last 7 days

CVE-2026-27760 CRITICAL POC
9.2 Apr 28

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by
CVE-2026-41463 HIGH POC
8.7 Apr 27

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality

CVE-2026-34965 HIGH POC
8.7 Apr 29

Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection en
CVE-2026-41464 HIGH POC
7.1 Apr 27

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint tha
CVE-2026-41465 HIGH POC
7.1 Apr 27

ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.ph

Share

CVE-2025-11762 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy