Thursday, July 2, 2026

HubSpot WordPress Plugin Vulnerability


WPScan and the U.S. Government National Vulnerability Database published a notification about a vulnerability found in the HubSpot WordPress plugin. The vulnerability exposes users of the plugin to server-side request forgery attacks.

WPScan Vulnerability Report

Security researchers at WPScan released the following report:

“HubSpot < 8.8.15 - Contributor + Blind SSRF

describe

The plugin does not validate proxy URLs provided to proxy REST endpoints, which could allow users with edit_posts capability (default contributors and above) to perform SSRF attacks”

Server-Side Request Forgery (SSRF) Vulnerability

This vulnerability requires a contributor-level subscriber login for exposure to occur.

The non-profit Open Web Application Security Project (OWASP) is a global organization dedicated to software security, and SSRF vulnerabilities could expose internal services that shouldn’t be exposed.

According to OWASP:

“In a server-side request forgery (SSRF) attack, an attacker can abuse functionality on the server to read or update internal resources.

An attacker can provide or modify the URL where code running on the server will read or submit data, and by carefully choosing the URL, the attacker may be able to read server configuration (such as AWS metadata), connect to internal services such as http-enabled databases or Perform publish requests to internal services that are not intended to be exposed. “

Services that should not be exposed are:

  • “Cloud server metadata
  • Database HTTP interface
  • Internal REST interface
  • files – attackers may be able to use URIs to read files”

HubSpot WordPress Plugin

The HubSpot WordPress plugin is used by over 200,000 publishers. It offers CRM, live chat, analytics and email marketing related features.

The vulnerability found by WPScan states that it was fixed in version 8.8.15.

However, the changelog, which records the contents of the software update, shows that the HubSpot WordPress plugin received additional updates to fix other vulnerabilities.

Here is the list of updates according to the official changelog, starting with the oldest:

= 8.8.15 (2022-04-07) =
* Fix security issue related to proxy URL

= 8.9.14 (2022-04-12) =
* Fix security issue related to form inputs

= 8.9.20 (2022-04-13) =
* Fix security issue related to sanitizing inputs

While security firm WPScan and the National Vulnerability Database state that the vulnerability has been fixed in version 8.8.15, according to the HubSpot plugin changelog, there are further security fixes until version 8.9.20.

Therefore, it is prudent to update the HubSpot plugin to at least version 8.9.20, although the absolute latest version of the HubSpot WordPress plugin at the time of writing is version 8.11.0.

Citation

Read the WPScan Vulnerability Report

HubSpot < 8.8.15 - Contributor + Blind SSRF

Read the National Vulnerability Database report

CVE-2022-1239 Details

Check out the HubSpot WordPress plugin changelog

HubSpot WordPress Plugin Changelog





Source link

Related articles

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

How to Settle a Colic Baby: Proven Tips

Eager to discover effective ways to calm your colicky baby? From soothing techniques to critical consultation cues, let's explore what...

What Is Colic in Babies: Key Facts Revealed

Understanding what colic in babies truly entails can be a challenge for many parents. As the evening wears on, and the baby's cries reach a crescendo, an urgent question looms in the air: what now?

The 7 Best Ways to Gain Popularity

Online searches are often not the starting point...
spot_imgspot_img