Primary

Context

HubSpot WordPress Plugin Blind Server-Side Request Forgery Vulnerability

Vulnerability

Patched

A server-side request forgery (SSRF) vulnerability has been identified in the HubSpot WordPress plugin, affecting versions prior to 8.8.15. The vulnerability arises because the plugin does not properly validate the proxy URL provided to the proxy REST endpoint. This flaw could enable users with the edit_posts capability, which includes contributors and higher roles, to execute SSRF attacks.

Impact

Exploitation of this vulnerability allows for blind server-side request forgery, where an authenticated user can make requests from the server to internal or external resources, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, an authenticated user with the edit_posts capability can send a request to the proxy REST endpoint with a crafted proxy URL. The REST nonce must be included to authenticate the request.

Remediation

Users are advised to update the HubSpot WordPress plugin to version 8.8.15 or later.

Added: May 15, 2026, 8:56 AM

Updated: May 15, 2026, 8:56 AM

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.4

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.4

impact

0.4

exploitability

6.2

remediation

7.7

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

HubSpot WordPress Plugin Blind Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

HubSpot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating