Forminator WordPress Plugin Sensitive Information Exposure Vulnerability

A vulnerability allowing sensitive information exposure has been identified in the Forminator plugin for WordPress, affecting all versions through 1.29.1. The issue arises in the file 'class-forminator-addon-hubspot-wp-api.php', where hardcoded HubSpot API keys are exposed. This vulnerability allows unauthenticated attackers to access the HubSpot integration developer API key, potentially leading to unauthorized changes in the plugin's HubSpot integration or the exposure of personally identifiable information from users utilizing the HubSpot integration.

Impact

Exploitation of this vulnerability allows for the unauthorized extraction of the HubSpot API key, enabling attackers to make unauthorized changes to the HubSpot integration within the Forminator plugin. Additionally, there is a risk of exposing personally identifiable information from users of the plugin's HubSpot integration.

Reproduction

The vulnerability can be reproduced by downloading the Forminator plugin version 1.29.0 or earlier, and then unzipping the file to access the source code. The exposed HubSpot API keys can be found in the 'class-forminator-addon-hubspot-wp-api.php' file, which is part of the plugin's HubSpot integration.

Remediation

Users can update to Forminator version 1.29.2 or a later patched version to address this vulnerability.