Skip to main content

Hubspot

3 CVEs product

Monthly

CVE-2026-57736 HIGH This Week

Sensitive data exposure in the HubSpot (Leadin) WordPress plugin versions up to and including 11.3.51 allows a low-privileged authenticated user to retrieve embedded sensitive information that is inserted into data sent by the plugin. Reported by Patchstack and tracked as CWE-201 with a CVSS 7.4 (scope-changed), there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The realistic impact is limited to information disclosure of secrets or private data the plugin transmits, without evidence of widespread or automated exploitation.

Information Disclosure Hubspot
NVD VulDB
CVSS 3.1
7.4
EPSS
0.2%
CVE-2024-5879 MEDIUM PATCH This Month

The HubSpot - CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Hubspot
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-1239 HIGH POC This Week

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Hubspot
NVD WPScan
CVSS 3.1
8.8
EPSS
1.4%
EPSS 0% CVSS 7.4
HIGH This Week

Sensitive data exposure in the HubSpot (Leadin) WordPress plugin versions up to and including 11.3.51 allows a low-privileged authenticated user to retrieve embedded sensitive information that is inserted into data sent by the plugin. Reported by Patchstack and tracked as CWE-201 with a CVSS 7.4 (scope-changed), there is no public exploit identified at time of analysis and it is not listed in CISA KEV. The realistic impact is limited to information disclosure of secrets or private data the plugin transmits, without evidence of widespread or automated exploitation.

Information Disclosure Hubspot
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

The HubSpot - CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Hubspot
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF WordPress Hubspot
NVD WPScan

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy