CVE-2024-7389

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-7389
The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api
https://developers.hubspot.com/docs/api/webhooks#scopes
https://plugins.trac.wordpress.org/changeset/3047085/forminator/trunk/addons/pro/hubspot/lib/class-forminator-addon-hubspot-wp-api.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d04b822-a48a-485e-b9b5-f5a213307c71?source=cve
Configurations

No configuration.

History

02 Aug 2024, 12:59

Type Values Removed Values Added
Summary
  • (es) El complemento Forminator para WordPress es vulnerable a la exposición de información confidencial en todas las versiones hasta la 1.29.1 incluida a través de class-forminator-addon-hubspot-wp-api.php. Esto hace posible que atacantes no autenticados extraigan la clave API del desarrollador de integración de HubSpot y realicen cambios no autorizados en la integración de HubSpot del complemento o expongan información de identificación personal de los usuarios del complemento que utilizan la integración de HubSpot.

02 Aug 2024, 05:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-02 05:15

Updated : 2024-08-02 12:59

NVD link : CVE-2024-7389

Mitre link : CVE-2024-7389

CVE.ORG link : CVE-2024-7389

JSON object : View

Products Affected

No product.

CWE
CWE-522

Insufficiently Protected Credentials