CVE-2025-11762: HubSpot WordPress Plugin Info Disclosure

CVE-2025-11762 Overview

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32. The vulnerability exists within the leadin/public/admin/class-adminconstants.php file, which fails to properly restrict access to sensitive administrative data. This security flaw allows authenticated attackers with Contributor-level access and above to extract a comprehensive list of all installed plugins and their respective versions.

Critical Impact

Attackers can enumerate installed plugins and versions, enabling reconnaissance for targeted exploitation of known vulnerabilities in outdated plugins.

Affected Products

• HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin versions up to and including 11.3.32
• WordPress installations utilizing the vulnerable HubSpot plugin
• Any site granting Contributor-level or higher access to untrusted users

Discovery Timeline

• 2026-04-24 - CVE CVE-2025-11762 published to NVD
• 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2025-11762

Vulnerability Analysis

This vulnerability is classified under CWE-862 (Missing Authorization), indicating that the affected code path lacks proper authorization checks before exposing sensitive system information. The class-adminconstants.php file in the HubSpot plugin exposes administrative constants and plugin enumeration functionality without verifying that the requesting user has appropriate administrative privileges.

The information disclosure allows attackers to gather intelligence about the WordPress installation's plugin ecosystem. By obtaining a complete list of installed plugins along with their version numbers, an attacker can cross-reference this data against known vulnerability databases to identify potential attack surfaces. This reconnaissance capability significantly reduces the effort required to plan and execute subsequent attacks.

Root Cause

The root cause lies in the Missing Authorization (CWE-862) implementation within the class-adminconstants.php file. The plugin fails to implement proper capability checks before returning sensitive plugin enumeration data. WordPress provides a robust capability system (e.g., current_user_can()) that should be used to restrict access to administrative functions, but this particular endpoint does not adequately leverage these controls.

The vulnerability allows users with only Contributor-level permissions—a relatively low-privilege role intended for content creation—to access data that should be restricted to administrators only.

Attack Vector

The attack is network-based and requires low-privilege authenticated access to the WordPress installation. An attacker would need valid credentials with at least Contributor-level access to exploit this vulnerability. Once authenticated, the attacker can access the vulnerable endpoint to retrieve plugin information without requiring any user interaction or special conditions.

The attack sequence involves authenticating to the WordPress site with a Contributor account and accessing the exposed endpoint in class-adminconstants.php. The response returns a complete inventory of installed plugins and their versions. This information can then be used to identify plugins with known vulnerabilities, enabling follow-up attacks that may lead to privilege escalation, remote code execution, or complete site compromise depending on the vulnerabilities present in the enumerated plugins.

Detection Methods for CVE-2025-11762

Indicators of Compromise

• Unusual access patterns to the leadin/public/admin/class-adminconstants.php file from Contributor-level user accounts
• HTTP requests targeting HubSpot plugin administrative endpoints from non-administrative users
• Log entries showing repeated access to plugin enumeration endpoints
• Anomalous reconnaissance activity from authenticated users with limited privileges

Detection Strategies

• Monitor WordPress access logs for requests to /wp-content/plugins/leadin/public/admin/class-adminconstants.php
• Implement Web Application Firewall (WAF) rules to detect suspicious access patterns to plugin administrative files
• Review user activity logs for Contributor accounts accessing administrative plugin endpoints
• Deploy endpoint detection to identify follow-up exploitation attempts after reconnaissance

Monitoring Recommendations

• Enable detailed logging for WordPress plugin file access
• Configure alerts for unusual patterns of administrative endpoint access by low-privilege users
• Implement file integrity monitoring on the HubSpot plugin directory
• Monitor for subsequent exploitation attempts targeting plugins identified through reconnaissance

How to Mitigate CVE-2025-11762

Immediate Actions Required

• Update the HubSpot All-In-One Marketing plugin to version 11.3.33 or later immediately
• Review WordPress user accounts and remove unnecessary Contributor-level access
• Audit recent access logs for signs of exploitation or reconnaissance activity
• Consider temporarily restricting access to the plugin's administrative files pending the update

Patch Information

The vulnerability has been addressed in HubSpot All-In-One Marketing plugin version 11.3.33. The patched version includes proper authorization checks in the class-adminconstants.php file to prevent unauthorized access to plugin enumeration data. Additional technical details about the fix can be found in the WordPress Plugin File and the Wordfence Vulnerability Report.

Workarounds

• Restrict Contributor-level and above access to trusted users only until the patch is applied
• Implement additional access controls at the web server level to restrict access to plugin administrative files
• Use a Web Application Firewall to block unauthorized access to the vulnerable endpoint
• Consider temporarily deactivating the HubSpot plugin if immediate patching is not possible and the risk is deemed critical to your environment