HubSpot All-In-One Marketing – Forms, Popups, Live Chat Plugin Vulnerability (CVE-2026-9656)

On this page

Security Alert Summary

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress exposes a plaintext HubSpot OAuth refresh token via a JavaScript object (window.leadinConfig) localized with wp_localize_script(). Authenticated users with contributor-level access and above can extract this token and use it to access or modify data in the connected HubSpot tenant. Data-at-rest encryption does not prevent this exposure because decryption occurs server-side before the value is passed to the page.

CVE Details

  • CVE ID: CVE-2026-9656
  • Affected component: HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress
  • Affected versions: All versions up to and including 11.3.62
  • Published: July 17, 2026 at 8:16:59 AM
  • Last modified: July 17, 2026 at 2:59:38 PM
  • CVSS v3.1: Base Score 4.3, MEDIUM — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
  • Authentication / Privileges / User interaction: Authentication required; Privileges required: Low (contributor-level access or higher); User interaction: None
  • Primary impact: Confidentiality: Low (exposure of OAuth refresh token); Integrity: None; Availability: None
  • Weakness (CWE): CWE-200 (Exposure of Sensitive Information)

Technical Details

The plugin passes a HubSpot OAuth refresh token to client-side JavaScript using wp_localize_script(), exposing the token in the window.leadinConfig object. Although the refresh token is stored at rest encrypted with AES-256-CTR, the token is decrypted on the server before being injected into the localized script. This server-side decryption followed by localization creates a client-side exposure path for authenticated users who can load the affected script and read the window.leadinConfig object.

An authenticated attacker with contributor-level access or above can extract the plaintext refresh token from the browser context and then use it to access or modify data in the connected HubSpot tenant. The vulnerability arises from exposing sensitive credentials in client-side code rather than from the at-rest encryption mechanism.

How This Could Impact Your Website

Consider a site where the owner contracts an external content contributor to add posts or manage forms. If that contributor has a contributor-level account, they could retrieve the refresh token exposed in window.leadinConfig while working in the WordPress admin. With that token, an attacker could access the connected HubSpot tenant and view or change marketing data, including contact records and email addresses, increasing the risk of targeted phishing or social engineering against your staff or customers.

For example, internal marketing staff emails stored in HubSpot could be exposed, and an attacker could use tenant access to export contacts or modify marketing workflows. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and HubSpot tenant activity for unusual behavior, such as unexpected API access or token use.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References