PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9656 hubspotdev CVE debrief

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure, allowing authenticated attackers with contributor-level access to extract the site's plaintext HubSpot OAuth refresh token. This token can be used to access or modify data in the connected HubSpot tenant. The vulnerability affects all versions up to, and including, 11.3.62. The exposure occurs via the wp_localize_script() / window.leadinConfig JavaScript object. Although the refresh token is stored with AES-256-CTR encryption at rest, decryption happens server-side before the plaintext value is passed to wp_localize_script(), making the at-rest encryption ineffective against this exposure path.

Vendor
hubspotdev
Product
HubSpot All-In-One Marketing – Forms, Popups, Live Chat
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

WordPress users with the HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin installed, security teams monitoring WordPress vulnerabilities, and organizations using HubSpot should be aware of this vulnerability. They should review their plugin versions, assess their exposure, and take necessary actions to protect their sites and connected HubSpot tenants.

Technical summary

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62. The vulnerability is caused by the exposure of the site's plaintext HubSpot OAuth refresh token via the wp_localize_script() / window.leadinConfig JavaScript object. This allows authenticated attackers with contributor-level access and above to extract the token, which can then be used to access or modify data in the connected HubSpot tenant.

Defensive priority

Medium priority due to the CVSS score of 4.3 and the potential impact on connected HubSpot tenants

Recommended defensive actions

  • Update the HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin to the latest version
  • Monitor for suspicious activity related to HubSpot OAuth refresh tokens
  • Restrict access to sensitive data and functionality
  • Implement additional security measures to protect connected HubSpot tenants
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability was reported by [email protected] and is tracked in the CVE-2026-9656 record. The NVD entry is currently in the 'Received' status. The reporter provided evidence of the vulnerability through responsible disclosure, but details are limited. Defenders should verify the vulnerability's existence and impact through the CVE and NVD records, and review their own exposure based on plugin versions and HubSpot configurations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T08:16:59.043Z and has not been modified since then. The NVD entry is currently Received.