Skip to main content

Hubspot All In One Marketing Forms Popups Live Chat

1 CVEs product

Monthly

CVE-2026-9656 MEDIUM This Month

OAuth refresh token theft in HubSpot All-In-One Marketing - Forms, Popups, Live Chat (WordPress plugin 'leadin') exposes connected HubSpot tenants to unauthorized access. Authenticated WordPress users at contributor level or above can extract a plaintext HubSpot OAuth refresh token directly from the client-side window.leadinConfig JavaScript object, which is populated server-side via wp_localize_script() after the plugin decrypts the at-rest AES-256-CTR-encrypted token - rendering the encryption entirely ineffective against this attack path. A stolen token can be replayed against the HubSpot OAuth API to access or modify CRM contacts, marketing campaigns, and other tenant data in the connected HubSpot account. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

WordPress Information Disclosure Hubspot All In One Marketing Forms Popups Live Chat
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

OAuth refresh token theft in HubSpot All-In-One Marketing - Forms, Popups, Live Chat (WordPress plugin 'leadin') exposes connected HubSpot tenants to unauthorized access. Authenticated WordPress users at contributor level or above can extract a plaintext HubSpot OAuth refresh token directly from the client-side window.leadinConfig JavaScript object, which is populated server-side via wp_localize_script() after the plugin decrypts the at-rest AES-256-CTR-encrypted token - rendering the encryption entirely ineffective against this attack path. A stolen token can be replayed against the HubSpot OAuth API to access or modify CRM contacts, marketing campaigns, and other tenant data in the connected HubSpot account. No public exploit has been identified at time of analysis, and this CVE is not listed in CISA KEV.

WordPress Information Disclosure Hubspot All In One Marketing Forms Popups Live Chat
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy