WordPress Plugin Vulnerabilities

HubSpot All-In-One Marketing - Forms, Popups, Live Chat < 11.3.33 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure

Description

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks.

Affects Plugins

Plugin icon
leadin
Fixed in 11.3.33

References

CVE
CVE-2025-11762
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (Low)

Miscellaneous

Original Researcher
Dmitrii Ignatyev
Verified
No
WPVDB ID
039579ce-2dbe-4f54-8a5b-057fa715a82f

Timeline

Publicly Published
2026-04-23 (about 20 days ago)
Added
2026-04-23 (about 20 days ago)
Last Updated
2026-04-24 (about 19 days ago)

Other

Published
Title
Published
2023-11-27
Title
Participants Database < 2.5.6 - Missing Authorization
Published
2024-11-01
Title
Paytium < 4.4.11 - Missing Authorization
Published
2025-03-14
Title
School Management System – WPSchoolPress < 2.2.17 - Missing Authorization to Arbitrary User Deletion
Published
2025-11-10
Title
Crypto Tool <= 2.22 - Missing Authentication to Unauthenticated Limited File Deletion
Published
2026-03-18
Title
Print Invoice & Delivery Notes for WooCommerce < 6.0.0 - Missing Authorization