🔐 CVE Alert

CVE-2026-9656

MEDIUM 4.3

HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.

CWE CWE-200
Vendor hubspotdev
Product hubspot all-in-one marketing – forms, popups, live chat
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for hubspotdev hubspot all-in-one marketing – forms, popups, live chat

Be the first to know when new medium vulnerabilities affecting hubspotdev hubspot all-in-one marketing – forms, popups, live chat are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

hubspotdev / HubSpot All-In-One Marketing – Forms, Popups, Live Chat
0 ≤ 11.3.62

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/718d7ea3-d8ba-46a0-9ab1-72657bd82c17?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-adminconstants.php#L190 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/auth/class-oauth.php#L46 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-gutenberg.php#L44 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/class-assetsmanager.php#L150 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?old_path=%2Fleadin/tags/11.3.62&new_path=%2Fleadin/tags/11.3.64

Credits

anhcd05