Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-7389

CVE-2024-7389: Forminator Information Disclosure Flaw

CVE-2024-7389 is an information disclosure vulnerability in Incsub Forminator for WordPress that exposes HubSpot API keys to unauthenticated attackers. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2024-7389 Overview

CVE-2024-7389 affects the Forminator plugin for WordPress through version 1.29.1. The vulnerability resides in class-forminator-addon-hubspot-wp-api.php and exposes the HubSpot integration developer API key to unauthenticated attackers. Attackers who retrieve the key can make unauthorized changes to the plugin's HubSpot integration or extract personally identifiable information (PII) from users submitting forms tied to that integration. The flaw is categorized under CWE-522: Insufficiently Protected Credentials. The vulnerability is exploitable over the network without authentication or user interaction.

Critical Impact

Unauthenticated attackers can extract the HubSpot developer API key from vulnerable Forminator installations and pivot to manipulate HubSpot integrations or exfiltrate PII collected by WordPress forms.

Affected Products

  • Incsub Forminator (Free) for WordPress — versions up to and including 1.29.1
  • Incsub Forminator (Pro) for WordPress — versions up to and including 1.29.1
  • WordPress sites using the Forminator HubSpot integration addon

Discovery Timeline

  • 2024-08-02 - CVE-2024-7389 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-7389

Vulnerability Analysis

Forminator is a popular WordPress plugin used to build contact forms, polls, and quizzes. The Pro version ships with a HubSpot integration addon that authenticates against the HubSpot API using a developer API key. The vulnerable file class-forminator-addon-hubspot-wp-api.php returns this credential through code paths that do not enforce authentication or capability checks. An unauthenticated remote attacker can therefore obtain the API key by interacting with the exposed endpoint.

Once the developer API key is recovered, the attacker gains the same privileges granted to that key inside HubSpot. According to the HubSpot API Webhooks Documentation, this includes managing webhook subscriptions, modifying integration settings, and accessing data covered by the granted API scopes.

Root Cause

The root cause is insufficient credential protection (CWE-522). The plugin stored and exposed the HubSpot developer API key without restricting access to administrative users. Calls into the HubSpot WP API class did not gate sensitive responses behind WordPress capability checks such as current_user_can( 'manage_options' ) or nonce verification. The credential was effectively returned to any caller able to reach the relevant code path.

Attack Vector

The attack vector is purely network-based. An attacker locates a WordPress site running Forminator with the HubSpot integration configured, then issues a crafted unauthenticated request that triggers the vulnerable code path in class-forminator-addon-hubspot-wp-api.php. The response discloses the developer API key. The attacker reuses the key against the HubSpot API to read CRM data containing form submitter PII or to alter the tenant's integration configuration. No social engineering or privileged access is required.

A detailed source code walkthrough is available in the Vicarius Code Analysis on CVE-2024-7389 and the Wordfence Vulnerability Report.

Detection Methods for CVE-2024-7389

Indicators of Compromise

  • Unauthenticated HTTP requests to Forminator addon endpoints under /wp-content/plugins/forminator/addons/pro/hubspot/ returning non-empty response bodies
  • Outbound traffic from HubSpot tenants originating from unfamiliar IP addresses using the developer API key
  • Unexpected modifications to HubSpot webhook subscriptions or integration settings not initiated by administrators
  • New or modified HubSpot contacts, lists, or workflows correlated to the time window of suspicious WordPress access

Detection Strategies

  • Review WordPress access logs for unauthenticated requests targeting Forminator HubSpot integration paths.
  • Audit the installed Forminator version across managed WordPress sites and flag any instance at or below 1.29.1.
  • Correlate HubSpot audit logs with WordPress request logs to identify API key reuse from unexpected sources.
  • Inspect HTTP responses from the plugin's admin-ajax and REST endpoints for leaked key material matching HubSpot key formats.

Monitoring Recommendations

  • Enable HubSpot audit logging and alert on configuration changes performed via the developer API key.
  • Monitor egress traffic from WordPress hosts for unusual calls to api.hubapi.com.
  • Track plugin version inventory through a WordPress management platform and alert on outdated Forminator deployments.
  • Add web application firewall (WAF) rules to log and rate-limit requests to Forminator HubSpot addon endpoints.

How to Mitigate CVE-2024-7389

Immediate Actions Required

  • Upgrade Forminator to version 1.29.2 or later on every WordPress site that uses the plugin.
  • Rotate the HubSpot developer API key immediately and revoke the previous key in the HubSpot account settings.
  • Review HubSpot audit logs and webhook configurations for unauthorized changes since the plugin was first installed.
  • Disable the Forminator HubSpot integration on sites that cannot be patched promptly.

Patch Information

The maintainer fixed the issue in the Forminator codebase. The applied changes are visible in the WordPress Plugin Changeset 3047085, which updates class-forminator-addon-hubspot-wp-api.php to restrict access to the HubSpot integration credential. Site operators should update to the patched release through the WordPress plugin updater or by deploying the fixed package manually.

Workarounds

  • Deactivate and remove the Forminator plugin until upgrading is possible.
  • Restrict access to /wp-content/plugins/forminator/addons/pro/hubspot/ via web server rules or WAF policies.
  • Scope the HubSpot API key to the minimum required permissions and IP-allowlist the WordPress host where supported.
  • Temporarily disconnect the HubSpot integration inside Forminator and use form-only submissions until patched.
bash
# Configuration example: restrict access to the vulnerable plugin path in nginx
location ~* /wp-content/plugins/forminator/addons/pro/hubspot/ {
    deny all;
    return 403;
}

# WP-CLI: verify and update Forminator to a patched version
wp plugin get forminator --field=version
wp plugin update forminator --version=1.29.2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne