CVE-2024-7389 HIGH

CVE-2024-7389: Forminator <= 1.29.1 - HubSpot Developer API Key Sensitive Information Exposure

Vendor Wpmudev
Product Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Weakness CWE-522 · Insufficiently protected credentials
Published August 2, 2024
Last update April 8, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

Key dates

02Disclosure timeline

August 2, 2024 CVE published
April 8, 2026 Record updated