CVE-2026-9656
Description
The HubSpot All-In-One Marketing โ Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/718d7ea3-d8ba-46a0-9ab1-72657bd82c17?source=cve
- https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-adminconstants.php#L190
- https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/auth/class-oauth.php#L46
- https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-gutenberg.php#L44
- https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/class-assetsmanager.php#L150
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fleadin/tags/11.3.62&new_path=%2Fleadin/tags/11.3.64
CWEs
CWE-200
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.