Does HubSpot All-In-One Marketing – Forms, Popups, Live Chat have any unpatched vulnerabilities?

No. All known vulnerabilities in HubSpot All-In-One Marketing – Forms, Popups, Live Chat have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is HubSpot All-In-One Marketing – Forms, Popups, Live Chat compatible with WordPress 6.9.4?

According to WordPress.org data, HubSpot All-In-One Marketing – Forms, Popups, Live Chat 11.3.43 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is HubSpot All-In-One Marketing – Forms, Popups, Live Chat compatible with PHP 7.2+?

HubSpot All-In-One Marketing – Forms, Popups, Live Chat requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is HubSpot All-In-One Marketing – Forms, Popups, Live Chat's security score?

HubSpot All-In-One Marketing – Forms, Popups, Live Chat has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

HubSpot All-In-One Marketing – Forms, Popups, Live Chat Security & Risk Analysis

wordpress.org/plugins/leadin

The CRM, Sales, and Marketing WordPress plugin to grow your business better. Capture and engage web visitors with free live chat, forms, CRM, email ma …

200K active installs v11.3.43 PHP 7.2+ WP 5.8+ Updated Mar 11, 2026

analyticscrmformslive-chatmarketing

A · Safe

CVEs total2

Unpatched0

Last CVEAug 29, 2024

Plugin page Download

Safety Verdict

Is HubSpot All-In-One Marketing – Forms, Popups, Live Chat Safe to Use in 2026?

Generally Safe

Score 98/100

HubSpot All-In-One Marketing – Forms, Popups, Live Chat has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Aug 29, 2024Updated 23d ago

Risk Assessment

The "leadin" plugin v11.3.43 exhibits a generally strong security posture based on the static analysis provided. The absence of dangerous functions, the use of prepared statements for all SQL queries, and a high percentage of properly escaped output are commendable practices. Furthermore, the plugin demonstrates a good awareness of security by implementing nonce checks and capability checks, and it has no unpatched known vulnerabilities.

However, there are specific areas of concern. The presence of two unsanitized paths identified in the taint analysis, even though they are not flagged as critical or high severity, warrants attention as these can sometimes lead to unforeseen vulnerabilities. The plugin also makes external HTTP requests, which, while not inherently insecure, can be a vector for SSRF if not handled with extreme care and input validation. The vulnerability history, particularly the past instances of Cross-site Scripting (XSS) and Server-Side Request Forgery (SSRF), suggests that these types of vulnerabilities have been a recurring issue, indicating a need for continued vigilance in sanitizing user inputs related to these attack vectors.

In conclusion, "leadin" v11.3.43 is a relatively secure plugin with good coding practices in place. The main weaknesses lie in the identified taint flows and the historical prevalence of XSS and SSRF vulnerabilities. While there are no currently unpatched issues, the identified taint flows and past vulnerability types highlight areas where proactive auditing and rigorous input sanitization are crucial to maintain a robust security profile.

Key Concerns

Taint flows with unsanitized paths
History of high severity vulnerability
History of medium severity vulnerability
External HTTP requests

Vulnerabilities

HubSpot All-In-One Marketing – Forms, Popups, Live Chat Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2024-5879medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 11.1.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via HubSpot Meeting Widget

Aug 29, 2024 Patched in 11.1.34 (1d)

CVE-2022-1239high · 8.1Server-Side Request Forgery (SSRF)

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics <= 8.8.13 - Server Side Request Forgery

Apr 11, 2022 Patched in 8.8.15 (652d)

Code Analysis

Analyzed Mar 16, 2026

HubSpot All-In-One Marketing – Forms, Popups, Live Chat Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

78 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

94% escaped83 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

proxy_requests (public\class-proxy-mappings.php:149)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

HubSpot All-In-One Marketing – Forms, Popups, Live Chat Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 1

authwp_ajax_content_embed_installpublic\admin\class-contentembedinstaller.php:23

Shortcodes 1

[hubspot] public\class-pagehooks.php:29

WordPress Hooks 31

actionadmin_footerpublic\admin\class-deactivationform.php:17

actioninitpublic\admin\class-gutenberg.php:21

filterblock_categories_allpublic\admin\class-gutenberg.php:22

actionplugins_loadedpublic\admin\class-leadinadmin.php:36

actionadmin_initpublic\admin\class-leadinadmin.php:37

actionadmin_initpublic\admin\class-leadinadmin.php:38

actionadmin_initpublic\admin\class-leadinadmin.php:39

actionadmin_initpublic\admin\class-leadinadmin.php:40

actionadmin_menupublic\admin\class-leadinadmin.php:41

actionadmin_enqueue_scriptspublic\admin\class-leadinadmin.php:42

actionleadin_redirectpublic\admin\class-leadinadmin.php:48

actionleadin_activatepublic\admin\class-leadinadmin.php:49

actionelementor/documents/register_controlspublic\admin\class-leadinadmin.php:56

actionadmin_noticespublic\admin\class-noticemanager.php:21

filterplugin_action_links_leadin/leadin.phppublic\admin\class-pluginactionsmanager.php:18

filterplugin_action_links_leadin/leadin.phppublic\admin\class-pluginactionsmanager.php:19

actionelementor/elements/categories_registeredpublic\class-leadin.php:24

actionelementor/controls/registerpublic\class-leadin.php:25

actionelementor/widgets/registerpublic\class-leadin.php:26

actioninitpublic\class-pagehooks.php:21

actionwp_headpublic\class-pagehooks.php:23

actionwp_enqueue_scriptspublic\class-pagehooks.php:25

filterscript_loader_tagpublic\class-pagehooks.php:27

filterscript_loader_tagpublic\class-pagehooks.php:28

actioninitpublic\class-proxy-mappings.php:29

actiontemplate_redirectpublic\class-proxy-mappings.php:30

actionwppublic\class-proxy-mappings.php:31

actionleadin_update_proxy_mappingspublic\class-proxy-mappings.php:32

actionleadin_reset_wp_mappings_cachepublic\class-proxy-mappings.php:33

filtercron_schedulespublic\class-proxy-mappings.php:42

actionrest_api_initpublic\includes\api-loader.php:13

Scheduled Events 1

leadin_update_proxy_mappings

Maintenance & Trust

HubSpot All-In-One Marketing – Forms, Popups, Live Chat Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 11, 2026

PHP min version7.2

Downloads19.4M

Community Trust

Rating86/100

Number of ratings207

Active installs200K

Alternatives

HubSpot All-In-One Marketing – Forms, Popups, Live Chat Alternatives

Gravity Forms Klaviyo Add-On

gf-klaviyo-add-on

Gravity Forms Klaviyo Add-On seamlessly integrates Gravity Forms with Klaviyo, enabling powerful email marketing automation.

1K No CVEs

SALESmanago & Leadoo

salesmanago

AI-powered Customer Engagement Platform for impact-hungry eCommerce marketing teams

1K 4 CVEs

GreenRope Analytics

greenrope-analytics

100

Enables you to add GreenRope analytics and tracking to every page of your WordPress site.

100 No CVEs

Gravity Forms Campaign Fields Add-On

gf-campaign-fields

Add hidden fields to capture marketing campaign data in Gravity Forms.

60 No CVEs

BaseCloud UTM Tracker

basecloud-utm-tracker

100

Advanced UTM tracking with automated webhook injection for Gravity Forms, Elementor, WPForms, and Contact Form 7.

40 No CVEs

Developer Profile

HubSpot All-In-One Marketing – Forms, Popups, Live Chat Developer Profile

HubSpot

1 plugin · 200K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

327 days

View full developer profile

Detection Fingerprints

How We Detect HubSpot All-In-One Marketing – Forms, Popups, Live Chat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/leadin/public/assets/style/leadin.css/wp-content/plugins/leadin/build/leadin.js/wp-content/plugins/leadin/build/feedback.js/wp-content/plugins/leadin/public/assets/style/leadin-feedback.css/wp-content/plugins/leadin/public/assets/style/leadin-bridge.css?/wp-content/plugins/leadin/build/leadin.css

Script Paths

/wp-content/plugins/leadin/build/leadin.js/wp-content/plugins/leadin/build/feedback.js/integrated-app-embedder/v1.js/integrated-app-embedder/v1.jshttps://static.hsappstatic.net/MeetingsEmbed/ex/MeetingsEmbedCode.js

Version Parameters

ver=11.3.43

HTML / DOM Fingerprints

CSS Classes

leadin-app-embedder

Data Attributes

data-leadin-status

JS Globals

leadin_wordpresshubspot-forms-component

FAQ