Skip to main content

HubSpot WordPress Plugin CVE-2026-57736

| EUVDEUVD-2026-41104 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-07-01 Patchstack GHSA-j6hf-cv7p-rr4m
7.4
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.4 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
4.3 MEDIUM

Network-reachable but requires a low-privilege authenticated account (PR:L); pure CWE-201 disclosure yields limited confidentiality only, so I:N/A:N and no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 18:21 vuln.today

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in HubSpot allows Retrieve Embedded Sensitive Data.

This issue affects HubSpot: from n/a through 11.3.51.

AnalysisAI

Sensitive data exposure in the HubSpot (Leadin) WordPress plugin versions up to and including 11.3.51 allows a low-privileged authenticated user to retrieve embedded sensitive information that is inserted into data sent by the plugin. Reported by Patchstack and tracked as CWE-201 with a CVSS 7.4 (scope-changed), there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Authenticate to target site
Exploit
Request vulnerable plugin endpoint
Execution
Receive response with embedded secrets
Impact
Extract sensitive HubSpot/CRM data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with low privileges on the target WordPress site (CVSS PR:L) - a non-admin account such as subscriber or contributor is sufficient, but fully unauthenticated access is not indicated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L, score 7.4) describes a network-reachable, low-complexity issue requiring low privileges (PR:L, i.e. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or registers a low-privileged WordPress account (e.g., subscriber) authenticates to a site running the HubSpot plugin ≤11.3.51 and requests a plugin endpoint or page that returns data containing embedded secrets. Because the flaw needs only low privileges, low complexity, and no user interaction over the network, the attacker harvests sensitive information such as API tokens or private CRM/lead data. …
Remediation Update the HubSpot (Leadin) WordPress plugin to a release newer than 11.3.51; the input data confirms 11.3.51 as the last affected version but does not name an exact fixed version, so treat this as 'patch available per vendor advisory' and verify the specific patched build against the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/leadin/vulnerability/wordpress-hubspot-plugin-11-3-51-sensitive-data-exposure-vulnerability?_s_id=cve) and the plugin changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all WordPress installations for HubSpot plugin presence and version; disable plugin on production systems if alternative CRM integration exists. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy