Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Network-reachable but requires a low-privilege authenticated account (PR:L); pure CWE-201 disclosure yields limited confidentiality only, so I:N/A:N and no scope change.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data.
This issue affects HubSpot: from n/a through 11.3.51.
AnalysisAI
Sensitive data exposure in the HubSpot (Leadin) WordPress plugin versions up to and including 11.3.51 allows a low-privileged authenticated user to retrieve embedded sensitive information that is inserted into data sent by the plugin. Reported by Patchstack and tracked as CWE-201 with a CVSS 7.4 (scope-changed), there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with low privileges on the target WordPress site (CVSS PR:L) - a non-admin account such as subscriber or contributor is sufficient, but fully unauthenticated access is not indicated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, score 7.4) describes a network-reachable, low-complexity issue requiring low privileges (PR:L, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or registers a low-privileged WordPress account (e.g., subscriber) authenticates to a site running the HubSpot plugin ≤11.3.51 and requests a plugin endpoint or page that returns data containing embedded secrets. Because the flaw needs only low privileges, low complexity, and no user interaction over the network, the attacker harvests sensitive information such as API tokens or private CRM/lead data. … |
| Remediation | Update the HubSpot (Leadin) WordPress plugin to a release newer than 11.3.51; the input data confirms 11.3.51 as the last affected version but does not name an exact fixed version, so treat this as 'patch available per vendor advisory' and verify the specific patched build against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/leadin/vulnerability/wordpress-hubspot-plugin-11-3-51-sensitive-data-exposure-vulnerability?_s_id=cve) and the plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all WordPress installations for HubSpot plugin presence and version; disable plugin on production systems if alternative CRM integration exists. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could
The HubSpot - CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41104
GHSA-j6hf-cv7p-rr4m