Forminator < 1.29.2 – HubSpot Developer API Key Sensitive Information Exposure | CVE 2024-7389 | Plugin Vulnerabilities

Description

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

Affects Plugins

Fixed in 1.29.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0d04b822-a48a-485e-b9b5-f5a213307c71

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Sean Murphy

Verified

No

WPVDB ID

5876d393-3852-4178-8667-7a2531ccf705

Timeline

Publicly Published

2024-08-01 (about 1 year ago)

Added

2024-08-05 (about 1 year ago)

Last Updated

2024-08-05 (about 1 year ago)

Other

Published

Title

Published

2025-11-12

Title

SureForms < 1.13.2 - Unauthenticated Sensitive Information Exposure

Published

2023-04-19

Title

Active Directory Integration / LDAP Integration < 4.1.1 - Unauthenticated Data Disclosure

Published

2024-04-26

Title

Contact Form 7 Database Addon – CFDB7 < 1.2.7 - Unauthenticated Sensitive Information Exposure

Published

2024-08-12

Title

Order Export for WooCommerce < 3.24 - Unauthenticated Sensitive Information Exposure

Published

2024-04-10

Title

Element Pack Elementor Addons < 5.6.0 - Sensitive Information Exposure via element_pack_ajax_search