HubSpot WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the HubSpot WordPress plugin, specifically in the CRM, Email Marketing, Live Chat, Forms & Analytics version 11.1.22 and prior. The issue arises from inadequate input sanitization and output escaping in the 'url' attribute of the HubSpot Meeting Widget. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages, which are executed when users access the affected page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access or higher can inject a script into the 'url' attribute of the HubSpot Meeting Widget. Once the script is injected, it will be executed whenever a user accesses the page containing the widget.

Remediation

Users are advised to update the HubSpot WordPress plugin to version 11.1.34 or a newer patched version.