cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forleadin leadin

Direction: ascending
Jun 07, 2024

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics # CVE-2022-1239

CVE, Research URL

CVE-2022-1239

Home page URL

Security reports for HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Application

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Date
May 02, 2022
Research Description
The HubSpot WordPress plugin before 8.8.15 does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks
Affected versions
max 8.8.15.
Status
vulnerable
Aug 30, 2024

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics # CVE-2024-5879

CVE, Research URL

CVE-2024-5879

Home page URL

Security reports for HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Application

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Date
Aug 30, 2024
Research Description
The HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute of the HubSpot Meeting Widget in all versions up to, and including, 11.1.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 11.1.34.
Status
vulnerable
Apr 24, 2026

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics # CVE-2025-11762

CVE, Research URL

CVE-2025-11762

Home page URL

Security reports for HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Application

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics

Date
Apr 24, 2026
Research Description
The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.
Affected versions
max 11.3.33.
Status
vulnerable