[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQUcXwBQUfFEbnVbptv1Oicw5PUcSRj9KoJTSimzdxRo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2025-11762","hubspot-all-in-one-marketing-forms-popups-live-chat-missing-authorization-to-authenticated-contributor-installed-plugin-","HubSpot All-In-One Marketing - Forms, Popups, Live Chat \u003C= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure","The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin\u002Fpublic\u002Fadmin\u002Fclass-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.","leadin",null,"\u003C=11.3.32","11.3.33","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-04-23 19:19:31","2026-04-24 07:45:07",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=api-prod",1,[22,23,24,25,26,27,28,29],"changelog.txt","languages\u002Fleadin-da_DK.po","languages\u002Fleadin-de_AT.po","languages\u002Fleadin-de_CH_informal.po","languages\u002Fleadin-de_DE.po","languages\u002Fleadin-de_DE_formal.po","languages\u002Fleadin-en.po","languages\u002Fleadin-en_AU.po","researched",false,3,"# Exploitation Research Plan: CVE-2025-11762 (HubSpot All-In-One Marketing)\n\n## 1. Vulnerability Summary\nThe **HubSpot All-In-One Marketing** plugin (up to 11.3.32) is vulnerable to **Sensitive Information Exposure** via the `leadin\u002Fpublic\u002Fadmin\u002Fclass-adminconstants.php` file. The plugin fails to perform adequate authorization checks on a REST API endpoint (or localized data gathering process) that provides configuration data to the admin interface. Specifically, the list of all installed plugins and their versions is gathered using `get_plugins()` and returned to any authenticated user with **Contributor-level** access or higher. This information is typically used for reconnaissance by attackers to find other vulnerable plugins.\n\n## 2. Attack Vector Analysis\n-   **Endpoint:** WordPress REST API namespace `leadin\u002Fv1`.\n-   **Route:** `\u002Fwp-json\u002Fleadin\u002Fv1\u002Fconfig` (inferred from plugin architecture).\n-   **Method:** `GET`\n-   **Authentication:** Required (Contributor+ role).\n-   **Payload:** None (direct GET request).\n-   **Preconditions:** The plugin must be active. The attacker must have a valid login for a user with at least the `Contributor` role (common for sites with multiple authors).\n\n## 3. Code Flow\n1.  The plugin registers REST API routes during `rest_api_init`.\n2.  The route `leadin\u002Fv1\u002Fconfig` is handled by a callback that relies on `Leadin\\Admin\\AdminConstants::get_admin_constants()` (defined in `public\u002Fadmin\u002Fclass-adminconstants.php`).\n3.  Inside `class-adminconstants.php`, the function (likely `get_admin_constants` or `get_instance_data`) aggregates environment metadata.\n4.  It calls the WordPress core function `get_plugins()` to populate a list of installed software.\n5.  The REST route's `permission_callback` likely only checks if the user is logged in (`is_user_logged_in`) or uses a low-level capability check like `edit_posts` (available to Contributors), instead of `manage_options` (Administrators only).\n6.  The aggregated data is returned as a JSON response.\n\n## 4. Nonce Acquisition Strategy\nTo interact with the WordPress REST API while authenticated, a `wp_rest` nonce is required in the `X-WP-Nonce` header.\n\n1.  **Identity Variable:** The HubSpot plugin often localizes its own config, but the standard `wp_rest` nonce is always available in the `wp-admin` dashboard.\n2.  **Strategy:**\n    -   Log in as a **Contributor**.\n    -   Navigate to any dashboard page (e.g., `\u002Fwp-admin\u002Findex.php`).\n    -   Extract the nonce from the `wpApiSettings` JavaScript object.\n3.  **Extraction Command:**\n    ```javascript\n    \u002F\u002F In browser console or browser_eval\n    window.wpApiSettings.nonce\n    ```\n\n## 5. Exploitation Strategy\n1.  **Setup:** Ensure the target WordPress site has the HubSpot plugin (v11.3.32) and several other plugins installed (to verify the leak).\n2.  **Create User:** Create a user with the `Contributor` role.\n3.  **Authentication:** Authenticate the session using the Contributor credentials.\n4.  **Fetch Nonce:** Use `browser_navigate` to `\u002Fwp-admin\u002F` and `browser_eval` to grab `window.wpApiSettings.nonce`.\n5.  **Trigger Leak:** Perform an HTTP GET request to the REST endpoint.\n    -   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-json\u002Fleadin\u002Fv1\u002Fconfig`\n    -   **Headers:**\n        -   `X-WP-Nonce: \u003Cextracted_nonce>`\n        -   `Content-Type: application\u002Fjson`\n6.  **Verify Data:** Inspect the JSON response for a key containing plugin data (likely named `plugins`, `plugin_list`, or `installed_plugins`).\n\n## 6. Test Data Setup\n1.  **Plugin Version:** Install `leadin` version `11.3.32`.\n2.  **Contributor User:**\n    -   Username: `researcher`\n    -   Password: `password123`\n    -   Role: `contributor`\n3.  **Noise Plugins:** Install a few well-known plugins (e.g., `akismet`, `contact-form-7`, `elementor`) so the disclosure is obvious.\n4.  **No Shortcode Needed:** Unlike frontend vulnerabilities, this is an administrative REST API issue; simply being logged into `wp-admin` is sufficient.\n\n## 7. Expected Results\nA successful exploit will return a `200 OK` response with a JSON body. Example structure:\n```json\n{\n  \"wpVersion\": \"6.7.1\",\n  \"phpVersion\": \"8.1.0\",\n  \"installed_plugins\": {\n    \"akismet\u002Fakismet.php\": {\n      \"Name\": \"Akismet Anti-Spam\",\n      \"Version\": \"5.3\",\n      ...\n    },\n    \"leadin\u002Fleadin.php\": {\n      \"Name\": \"HubSpot All-In-One Marketing\",\n      \"Version\": \"11.3.32\",\n      ...\n    }\n  },\n  ...\n}\n```\n\n## 8. Verification Steps\n1.  **Manual Check:** Compare the JSON output with the output of `wp plugin list --format=json` via WP-CLI.\n2.  **Code Audit:** Verify the fix in 11.3.33 by checking the `permission_callback` in the REST route registration. It should now check for `manage_options`.\n\n## 9. Alternative Approaches\nIf the REST endpoint `\u002Fleadin\u002Fv1\u002Fconfig` is not found, attempt to find where the \"HubSpot Configuration\" is loaded:\n-   **Localized Data:** Visit the HubSpot settings page in `wp-admin` as a Contributor (if accessible). Use `browser_eval(\"window.leadinConfig\")` or `browser_eval(\"window.hubspotConfig\")`. Even if the page displays \"Access Denied,\" the script might still be enqueued and localized.\n-   **AJAX:** Check for an AJAX action named `leadin_get_config` or `leadin_constants` via `admin-ajax.php`.\n-   **Other Routes:** Search for other routes registered under the `leadin\u002Fv1` namespace using the `wp-json` index: `GET \u002Fwp-json\u002Fleadin\u002Fv1`.","gemini-3-flash-preview","2026-04-27 13:30:42","2026-04-27 13:31:15",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","11.3.21","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleadin\u002Ftags\u002F11.3.21","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fleadin.11.3.21.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleadin\u002Ftags\u002F11.3.33","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fleadin.11.3.33.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fleadin\u002Ftags"]