CVE-2025-11762 MEDIUM

CVE-2025-11762: HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure

Vendor Hubspotdev
Product HubSpot All-In-One Marketing – Forms, Popups, Live Chat
Weakness CWE-862 · Missing authorization
Published April 24, 2026
Last update April 24, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.

Explanation of Vulnerability in Simple Terms

02Summary

The HubSpot All-In-One Marketing plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to read sensitive information they should not access. An attacker with a standard user account can view data restricted to higher-privilege roles. The vulnerability affects versions up to 11.3.32 and requires a valid login to exploit.

What an attacker can do

03Attacker Capabilities

Read sensitive data restricted to higher-privilege users by making authenticated requests.

Potential impact on your site

04Site Impact

Unauthorized disclosure of sensitive information to standard users; data confidentiality breach.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account on the WordPress site.

Key dates

06Disclosure timeline

April 24, 2026 CVE published
April 24, 2026 Record updated