Stored Cross-Site Scripting in Hubspot Forms Integration for WordPress
CVE-2026-1908

6.4MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
21 March 2026

What is CVE-2026-1908?

The Integration with Hubspot Forms plugin for WordPress has a vulnerability allowing authenticated attackers, with Contributor-level access and higher, to exploit insufficient input sanitization and output escaping. By manipulating the 'hubspotform' shortcode, these attackers can inject arbitrary web scripts into web pages. This injection results in the execution of malicious scripts whenever a user visits the compromised page, potentially leading to data theft or other harmful activities. It's crucial for users of this plugin to upgrade to the latest version and implement security measures to mitigate the risks associated with this vulnerability.

Affected Version(s)

Integration with Hubspot Forms 0 <= 1.2.2

References

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Gilang Asra Bilhadi
.