WP-Safety
CVE-2025-11762

HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
11.3.33
Patched in
1d
Time to patch

Description

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=11.3.32
PublishedApril 23, 2026
Last updatedApril 24, 2026
Affected pluginleadin

What Changed in the Fix

Changes introduced in v11.3.33

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v11.3.21
Browse source Download .zip
Patched v11.3.33
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-11762 (HubSpot All-In-One Marketing) ## 1. Vulnerability Summary The **HubSpot All-In-One Marketing** plugin (up to 11.3.32) is vulnerable to **Sensitive Information Exposure** via the `leadin/public/admin/class-adminconstants.php` file. The plugin fails to pe…

Show full research plan

Exploitation Research Plan: CVE-2025-11762 (HubSpot All-In-One Marketing)

1. Vulnerability Summary

The HubSpot All-In-One Marketing plugin (up to 11.3.32) is vulnerable to Sensitive Information Exposure via the leadin/public/admin/class-adminconstants.php file. The plugin fails to perform adequate authorization checks on a REST API endpoint (or localized data gathering process) that provides configuration data to the admin interface. Specifically, the list of all installed plugins and their versions is gathered using get_plugins() and returned to any authenticated user with Contributor-level access or higher. This information is typically used for reconnaissance by attackers to find other vulnerable plugins.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API namespace leadin/v1.
  • Route: /wp-json/leadin/v1/config (inferred from plugin architecture).
  • Method: GET
  • Authentication: Required (Contributor+ role).
  • Payload: None (direct GET request).
  • Preconditions: The plugin must be active. The attacker must have a valid login for a user with at least the Contributor role (common for sites with multiple authors).

3. Code Flow

  1. The plugin registers REST API routes during rest_api_init.
  2. The route leadin/v1/config is handled by a callback that relies on Leadin\Admin\AdminConstants::get_admin_constants() (defined in public/admin/class-adminconstants.php).
  3. Inside class-adminconstants.php, the function (likely get_admin_constants or get_instance_data) aggregates environment metadata.
  4. It calls the WordPress core function get_plugins() to populate a list of installed software.
  5. The REST route's permission_callback likely only checks if the user is logged in (is_user_logged_in) or uses a low-level capability check like edit_posts (available to Contributors), instead of manage_options (Administrators only).
  6. The aggregated data is returned as a JSON response.

4. Nonce Acquisition Strategy

To interact with the WordPress REST API while authenticated, a wp_rest nonce is required in the X-WP-Nonce header.

  1. Identity Variable: The HubSpot plugin often localizes its own config, but the standard wp_rest nonce is always available in the wp-admin dashboard.
  2. Strategy:
    • Log in as a Contributor.
    • Navigate to any dashboard page (e.g., /wp-admin/index.php).
    • Extract the nonce from the wpApiSettings JavaScript object.
  3. Extraction Command:
    // In browser console or browser_eval
window.wpApiSettings.nonce

5. Exploitation Strategy

  1. Setup: Ensure the target WordPress site has the HubSpot plugin (v11.3.32) and several other plugins installed (to verify the leak).
  2. Create User: Create a user with the Contributor role.
  3. Authentication: Authenticate the session using the Contributor credentials.
  4. Fetch Nonce: Use browser_navigate to /wp-admin/ and browser_eval to grab window.wpApiSettings.nonce.
  5. Trigger Leak: Perform an HTTP GET request to the REST endpoint.
    • URL: http://<target>/wp-json/leadin/v1/config
    • Headers:
      • X-WP-Nonce: <extracted_nonce>
      • Content-Type: application/json
  6. Verify Data: Inspect the JSON response for a key containing plugin data (likely named plugins, plugin_list, or installed_plugins).

6. Test Data Setup

  1. Plugin Version: Install leadin version 11.3.32.
  2. Contributor User:
    • Username: researcher
    • Password: password123
    • Role: contributor
  3. Noise Plugins: Install a few well-known plugins (e.g., akismet, contact-form-7, elementor) so the disclosure is obvious.
  4. No Shortcode Needed: Unlike frontend vulnerabilities, this is an administrative REST API issue; simply being logged into wp-admin is sufficient.

7. Expected Results

A successful exploit will return a 200 OK response with a JSON body. Example structure:

{
  "wpVersion": "6.7.1",
  "phpVersion": "8.1.0",
  "installed_plugins": {
    "akismet/akismet.php": {
      "Name": "Akismet Anti-Spam",
      "Version": "5.3",
      ...
    },
    "leadin/leadin.php": {
      "Name": "HubSpot All-In-One Marketing",
      "Version": "11.3.32",
      ...
    }
  },
  ...
}

8. Verification Steps

  1. Manual Check: Compare the JSON output with the output of wp plugin list --format=json via WP-CLI.
  2. Code Audit: Verify the fix in 11.3.33 by checking the permission_callback in the REST route registration. It should now check for manage_options.

9. Alternative Approaches

If the REST endpoint /leadin/v1/config is not found, attempt to find where the "HubSpot Configuration" is loaded:

  • Localized Data: Visit the HubSpot settings page in wp-admin as a Contributor (if accessible). Use browser_eval("window.leadinConfig") or browser_eval("window.hubspotConfig"). Even if the page displays "Access Denied," the script might still be enqueued and localized.
  • AJAX: Check for an AJAX action named leadin_get_config or leadin_constants via admin-ajax.php.
  • Other Routes: Search for other routes registered under the leadin/v1 namespace using the wp-json index: GET /wp-json/leadin/v1.
References
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database