PT-2026-34861 · Hubspot · Hubspot All-In-One Marketing

Dmitry Ignatyev

Published

2026-04-24

Updated

2026-04-25

CVE-2025-11762

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions HubSpot All-In-One Marketing - Forms, Popups, Live Chat versions prior to 11.3.33

Description An issue exists in the leadin/public/admin/class-adminconstants.php file that allows authenticated attackers with Contributor-level access or higher to extract a list of all installed plugins and their respective versions. This exposure of sensitive information can be used for reconnaissance to facilitate further attacks.

Recommendations Update the plugin to a version later than 11.3.32. Restrict access to the leadin/public/admin/class-adminconstants.php file to minimize the risk of information exposure.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2025-11762

Affected Products

Hubspot All-In-One Marketing

PT-2026-34861 · Hubspot · Hubspot All-In-One Marketing

CVE-2025-11762

Weakness Enumeration

Related Identifiers

Affected Products

References · 5