Stored Cross-Site Scripting in Hubspot Forms Integration for WordPress
CVE-2026-1908
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 21 March 2026
What is CVE-2026-1908?
The Integration with Hubspot Forms plugin for WordPress has a vulnerability allowing authenticated attackers, with Contributor-level access and higher, to exploit insufficient input sanitization and output escaping. By manipulating the 'hubspotform' shortcode, these attackers can inject arbitrary web scripts into web pages. This injection results in the execution of malicious scripts whenever a user visits the compromised page, potentially leading to data theft or other harmful activities. It's crucial for users of this plugin to upgrade to the latest version and implement security measures to mitigate the risks associated with this vulnerability.
Affected Version(s)
Integration with Hubspot Forms 0 <= 1.2.2