Skip to main content

HubSpot Marketing Plugin CVE-2026-9656

| EUVDEUVD-2026-45152 MEDIUM
Information Exposure (CWE-200)
2026-07-17 Wordfence GHSA-3rq5-wph4-p3mg
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
9.6 CRITICAL

Stolen OAuth token grants full read/write on the external HubSpot tenant (S:C), raising confidentiality and integrity impact beyond the WordPress installation alone.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 07:46 vuln.today
CVE Published
Jul 17, 2026 - 06:53 cve.org
MEDIUM 4.3

DescriptionCVE.org

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.

AnalysisAI

OAuth refresh token theft in HubSpot All-In-One Marketing - Forms, Popups, Live Chat (WordPress plugin 'leadin') exposes connected HubSpot tenants to unauthorized access. Authenticated WordPress users at contributor level or above can extract a plaintext HubSpot OAuth refresh token directly from the client-side window.leadinConfig JavaScript object, which is populated server-side via wp_localize_script() after the plugin decrypts the at-rest AES-256-CTR-encrypted token - rendering the encryption entirely ineffective against this attack path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain contributor-level WordPress credentials
Delivery
Authenticate to target WordPress site
Exploit
Load page rendering window.leadinConfig JavaScript object
Execution
Extract plaintext HubSpot OAuth refresh token from browser
Persist
Exchange refresh token via HubSpot OAuth API
Impact
Access or modify connected HubSpot tenant data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress session authenticated at contributor role or higher - subscriber-level and unauthenticated users cannot access pages or contexts where window.leadinConfig is populated with the refresh token. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N captures the WordPress-scoped disclosure conservatively but materially understates real-world impact: S:U and C:L treat the leaked credential as low-value information confined to the WordPress system, when in practice the stolen OAuth refresh token unlocks a fully separate external system - the connected HubSpot tenant - enabling read and write access to CRM and marketing data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with WordPress contributor credentials - obtained via phishing, credential stuffing, or brute force against a site lacking account lockout - logs in and opens any page where the leadin plugin renders its JavaScript assets, then retrieves the plaintext HubSpot OAuth refresh token directly from the browser console by reading window.leadinConfig. The attacker passes this token to HubSpot's OAuth token endpoint to obtain an access token, then uses HubSpot's REST API to enumerate contacts, export marketing lists, or alter CRM pipeline records in the connected HubSpot tenant - with no further interaction required from any site administrator. …
Remediation Update the HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin to version 11.3.64 or later, the patched version indicated by the plugin repository changeset (https://plugins.trac.wordpress.org/changeset?old_path=%2Fleadin/tags/11.3.62&new_path=%2Fleadin/tags/11.3.64). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy