HubSpot WordPress Plugin Vulnerability

HubSpot WordPress Plugin Vulnerability

WPScan and the USA Authorities Nationwide Vulnerability Database revealed a discover of a vulnerability found within the HubSpot WordPress plugin. The vulnerability exposes customers of the plugin to a Server Aspect Request Forgery assault.

WPScan Vulnerability Report

The safety researchers at WPScan revealed the next report:

“HubSpot < 8.8.15 – Contributor+ Blind SSRF


The plugin doesn’t validate the proxy URL given to the proxy REST endpoint, which might permit customers with the edit_posts functionality (by default contributor and above) to carry out SSRF assaults”

Server Aspect Request Forgery (SSRF) Vulnerability

This vulnerability requires {that a} contributor degree subscriber be logged in for the publicity to occur.

The non-profit Open Internet Software Safety Undertaking (OWASP), a worldwide group devoted to software program safety, an SSRF vulnerability may end up in the publicity of inner providers that aren’t meant to be uncovered.

Based on OWASP:

“In a Server-Aspect Request Forgery (SSRF) assault, the attacker can abuse performance on the server to learn or replace inner sources.

The attacker can provide or modify a URL which the code working on the server will learn or submit knowledge to, and by rigorously choosing the URLs, the attacker might be able to learn server configuration similar to AWS metadata, hook up with inner providers like http enabled databases or carry out submit requests in the direction of inner providers which aren’t meant to be uncovered.”

The providers that aren’t presupposed to be uncovered are:

  • “Cloud server meta-data
  • Database HTTP interfaces
  • Inside REST interfaces
  • Recordsdata – The attacker might be able to learn information utilizing <file://> URIs”

HubSpot WordPress Plugin

The HubSpot WordPress plugin is utilized by over 200,000 publishers. It gives CRM, stay chat, analytics and electronic mail advertising and marketing associated capabilities.

The vulnerability found by WPScan notes that it was mounted in model 8.8.15.

Nonetheless, the changelog that paperwork what was up to date within the software program reveals that the HubSpot WordPress plugin acquired extra updates to repair different vulnerabilities.

Here’s a listing of the updates in accordance with the official changelog, so as starting with the oldest replace:

= 8.8.15 (2022-04-07) =
* Repair safety situation associated to proxy URL

= 8.9.14 (2022-04-12) =
* Repair safety situation associated to type inputs

= 8.9.20 (2022-04-13) =
* Repair safety situation associated to sanitizing inputs

Whereas the safety agency WPScan and the Nationwide Vulnerability Database state that vulnerability was mounted in model 8.8.15, in accordance with the HubSpot plugin changelog, there have been additional safety fixes all the best way as much as model 8.9.20.

So it my be prudent to replace the HubSpot plugin to no less than model 8.9.20, though absolutely the newest model of the HubSpot WordPress plugin, as of this writing, is model 8.11.0.


Learn WPScan Vulnerability Report

HubSpot < 8.8.15 – Contributor+ Blind SSRF

Learn the Nationwide Vulnerability Database Report

CVE-2022-1239 Detail

Evaluation the HubSpot WordPress Plugin Changelog

HubSpot WordPress Plugin Changelog

Source link

Leave A Comment



Our purpose is to build solutions that remove barriers preventing people from doing their best work.

Giza – 6Th Of October
(Sunday- Thursday)
(10am - 06 pm)

No products in the cart.

Select the fields to be shown. Others will be hidden. Drag and drop to rearrange the order.
  • Image
  • SKU
  • Rating
  • Price
  • Stock
  • Availability
  • Add to cart
  • Description
  • Content
  • Weight
  • Dimensions
  • Additional information
  • Attributes
  • Custom attributes
  • Custom fields
Click outside to hide the compare bar