{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11762", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T20:34:25.859Z", "datePublished": "2026-04-24T07:45:06.751Z", "dateUpdated": "2026-04-24T18:17:28.206Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T07:45:06.751Z"}, "affected": [{"vendor": "hubspotdev", "product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "11.3.32", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks."}], "title": "HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve"}, {"url": "https://research.cleantalk.org/CVE-2025-11762"}, {"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2026-04-23T19:19:31.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T16:58:21.740873Z", "id": "CVE-2025-11762", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T18:17:28.206Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-24T16:58:21.740873Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T16:58:28.615Z"}}], "cna": {"title": "HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "hubspotdev", "product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "11.3.32"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-23T19:19:31.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve"}, {"url": "https://research.cleantalk.org/CVE-2025-11762"}, {"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php"}], "descriptions": [{"lang": "en", "value": "The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-24T07:45:06.751Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11762", "state": "PUBLISHED", "dateUpdated": "2026-04-24T18:17:28.206Z", "dateReserved": "2025-10-14T20:34:25.859Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-24T07:45:06.751Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract a list of all installed plugins and their versions which can be leveraged for reconnaissance and further attacks."}], "id": "CVE-2025-11762", "lastModified": "2026-04-24T14:38:26.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-24T08:16:29.000", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.33/public/admin/class-adminconstants.php"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/CVE-2025-11762"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a8c62e6-f459-433a-b0c4-c79285ea7fe9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,11.3.32]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat", "source": "cna", "vendor": "hubspotdev"}, "product": "hubspot_all-in-one_marketing_\u2013_forms,_popups,_live_chat", "vendor": "hubspotdev"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T06:56:37.276680+00:00", "value": {"mitigation_remediation": ["Update the HubSpot All\u2011In\u2011One Marketing plugin to version 11.3.33 or later, where the missing authorization check has been fixed.", "If an immediate update is not possible, remove the plugin from the site to eliminate the vulnerability.", "Restrict Contributor access or prune contributor\u2011level users until the patch can be applied to reduce the set of attackers who could exploit the issue."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Vendors: HubSpot dev. Product: HubSpot All\u2011In\u2011One Marketing \u2013 Forms, Popups, Live Chat. Affected versions are all releases up to and including 11.3.32, which are used on WordPress sites that have the plugin installed.", "description_and_impact": "The HubSpot All\u2011In\u2011One Marketing \u2013 Forms, Popups, Live Chat WordPress plugin allows attackers who are authenticated with Contributor or higher privileges to retrieve a list of all installed plugins and their versions. This missing authorization check can lead to sensitive information exposure, helping an attacker gather reconnaissance data for future attacks. The weakness is classified as CWE\u2011862.", "risk_and_exploitability": "The vulnerability has a CVSS score of 4.3, indicating a moderate risk level, and an EPSS score of less than 1 percent, suggesting a low probability of current exploitation. It is not listed in the CISA KEV catalog. The attack requires authenticated access at the Contributor level, so only users who have been granted such permissions could exploit this weakness. Because the attacker can only read plugin information and not modify or execute code, the impact is limited to information disclosure and reconnaissance, not direct code execution or privilege escalation."}}}}, "created": "2026-04-28T07:00:09.534635+00:00", "updated": "2026-04-28T09:18:07.254646+00:00", "vendors": ["hubspotdev", "hubspotdev$PRODUCT$hubspot_all-in-one_marketing_\u2013_forms,_popups,_live_chat", "wordpress", "wordpress$PRODUCT$wordpress"]}