Hubspot All In One Marketing Forms Popups Live Chat
Monthly
OAuth refresh token theft in HubSpot All-In-One Marketing - Forms, Popups, Live Chat (WordPress plugin 'leadin') exposes connected HubSpot tenants to unauthorized access. Authenticated WordPress users at contributor level or above can extract a plaintext HubSpot OAuth refresh token directly from the client-side window.leadinConfig JavaScript object, which is populated server-side via wp_localize_script() after the plugin decrypts the at-rest AES-256-CTR-encrypted token - rendering the encryption entirely ineffective against this attack path. A stolen token can be replayed against the HubSpot OAuth API to access or modify CRM contacts, marketing campaigns, and other tenant data in the connected HubSpot account. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.
OAuth refresh token theft in HubSpot All-In-One Marketing - Forms, Popups, Live Chat (WordPress plugin 'leadin') exposes connected HubSpot tenants to unauthorized access. Authenticated WordPress users at contributor level or above can extract a plaintext HubSpot OAuth refresh token directly from the client-side window.leadinConfig JavaScript object, which is populated server-side via wp_localize_script() after the plugin decrypts the at-rest AES-256-CTR-encrypted token - rendering the encryption entirely ineffective against this attack path. A stolen token can be replayed against the HubSpot OAuth API to access or modify CRM contacts, marketing campaigns, and other tenant data in the connected HubSpot account. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.