Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-7389

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

Published

2024-08-02T05:15:51.510

Last Modified

2025-02-05T14:59:01.993

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-522
Type: Primary
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	incsub	forminator	< 1.29.2	Yes
Application	incsub	forminator	< 1.29.2	Yes

References

https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api Related ([email protected])
https://developers.hubspot.com/docs/api/webhooks#scopes Related ([email protected])
https://plugins.trac.wordpress.org/changeset/3047085/forminator/trunk/addons/pro/hubspot/lib/class-forminator-addon-hubspot-wp-api.php Patch ([email protected])
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d04b822-a48a-485e-b9b5-f5a213307c71?source=cve Third Party Advisory ([email protected])
https://www.vicarius.io/vsociety/posts/source-code-dive-to-hunt-for-secrets-in-forminator-code-cve-2024-7389 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)