{"id":82138,"date":"2026-07-17T11:46:59","date_gmt":"2026-07-17T08:16:59","guid":{"rendered":"https:\/\/afaghhosting.net\/blog\/cve-2026-9656-hubspot-all-in-one-marketing\/"},"modified":"2026-07-17T11:46:59","modified_gmt":"2026-07-17T08:16:59","slug":"cve-2026-9656-hubspot-all-in-one-marketing","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/cve-2026-9656-hubspot-all-in-one-marketing\/","title":{"rendered":"CVE-2026-9656 &#8211; HubSpot All-In-One Marketing"},"content":{"rendered":"<p>CVE ID :CVE-2026-9656<\/p>\n<p>  Published : July 17, 2026, 8:16 a.m. | 1\u00a0hour, 20\u00a0minutes ago<\/p>\n<p>  Description :The HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() \/ window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site&#8217;s plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.<\/p>\n<p>  Severity: 4.3 | MEDIUM<\/p>\n<p>  Visit the link for more details, such as CVSS details, affected products, timeline, and more&#8230;\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE ID :CVE-2026-9656 Published : July 17, 2026, 8:16 a.m. | 1\u00a0hour, 20\u00a0minutes ago Description :The HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() \/ window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-82138","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82138","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=82138"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/82138\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=82138"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=82138"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=82138"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}