{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24559", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:31:51.716Z", "datePublished": "2026-01-23T14:28:54.762Z", "dateUpdated": "2026-04-28T16:14:49.295Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cf7-hubspot", "product": "Integration for Contact Form 7 HubSpot", "vendor": "CRM Perks", "versions": [{"changes": [{"at": "1.4.4", "status": "unaffected"}], "lessThanOrEqual": "1.4.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:54.961Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.<p>This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3.</p>"}], "value": "Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.295Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.3 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:24:15.164216Z", "id": "CVE-2026-24559", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:24:19.455Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24559", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T14:24:15.164216Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T17:28:01.010Z"}}], "cna": {"title": "WordPress Integration for Contact Form 7 HubSpot plugin <= 1.4.3 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CRM Perks", "product": "Integration for Contact Form 7 HubSpot", "versions": [{"status": "affected", "changes": [{"at": "1.4.4", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.3"}], "packageName": "cf7-hubspot", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:54.961Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3.", "supportingMedia": [{"type": "text/html", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.<p>This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-201", "description": "Insertion of Sensitive Information Into Sent Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.083Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24559", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:24:19.455Z", "dateReserved": "2026-01-23T12:31:51.716Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:54.762Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3."}, {"lang": "es", "value": "Inserci\u00f3n de Informaci\u00f3n Sensible en Datos Enviados en la integraci\u00f3n CRM Perks para Contact Form 7 HubSpot cf7-hubspot permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Integraci\u00f3n para Contact Form 7 HubSpot: desde n/a hasta &lt;= 1.4.3."}], "id": "CVE-2026-24559", "lastModified": "2026-04-28T15:16:14.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:13.187", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-201"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T17:51:47.329526+00:00", "value": {"mitigation_remediation": ["Upgrade the Integration for Contact Form 7 HubSpot plugin to a version newer than 1.4.3", "Disable or uninstall the vulnerable plugin if an immediate upgrade is not possible to prevent further data leakage", "Monitor form submissions and HubSpot inbound traffic for evidence of unintended sensitive data transmission"], "summary": {"action": "Update Plugin", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Affected are deployments of the CRM Perks: Integration for Contact Form 7 HubSpot plugin, version 1.4.3 and all earlier releases. The nature of the product is a WordPress plugin that forwards form data to HubSpot.", "description_and_impact": "The flaw involves the insertion of sensitive information into data that is sent from the WordPress Integration for Contact Form 7 HubSpot plugin. When the plugin processes form submissions it can expose confidential data to the target HubSpot endpoint. The data leakage potentially compromises confidentiality and may allow an attacker to steal personally identifiable or business\u2011critical information. The vulnerability is categorized as CWE\u2011201 (Sensitive Data Exposure).", "risk_and_exploitability": "The CVSS base score of 5.3 indicates a moderate risk while the EPSS score of less than 1% suggests that exploitation attempts are expected to be very rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could submit specially crafted form data that triggers the plugin to send sensitive fields to HubSpot. No additional authentication or privilege escalation steps are described, so the attack surface is limited to sites that have the vulnerable plugin installed and have exposed contact forms. The overall threat remains moderate, but the low EPSS indicates that widespread exploitation is unlikely at present."}}}}, "created": "2026-01-26T11:52:48.173694+00:00", "updated": "2026-04-28T18:00:14.083554+00:00", "vendors": ["crm_perks", "crm_perks$PRODUCT$integration_for_contact_form_7_hubspot", "wordpress", "wordpress$PRODUCT$wordpress"]}