Sensitive Information Exposure in HubSpot All-In-One Marketing Plugin for WordPress
CVE-2026-9656
4.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 17 July 2026
What is CVE-2026-9656?
The HubSpot All-In-One Marketing plugin for WordPress has a vulnerability that allows authenticated attackers with contributor-level access and above to exploit the window.leadinConfig JavaScript object. This exposure enables the retrieval of the site's plaintext HubSpot OAuth refresh token, despite being encrypted with AES-256-CTR at rest. Since the decryption occurs on the server side before the value is passed to wp_localize_script(), this flaw undermines the effectiveness of the encryption, risking unauthorized access or modifications to the associated HubSpot account.
Affected Version(s)
HubSpot All-In-One Marketing β Forms, Popups, Live Chat 0 <= 11.3.62