CVE-2024-7389Insufficiently Protected Credentials in Forminator

CWE-522Insufficiently Protected Credentials3 documents3 sources
Severity
7.5HIGHNVD
EPSS
2.8%
top 13.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Incsub Forminator
Timeline
PublishedAug 2

Description

The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.29.1 via class-forminator-addon-hubspot-wp-api.php. This makes it possible for unauthenticated attackers to extract the HubSpot integration developer API key and make unauthorized changes to the plugin's HubSpot integration or expose personally identifiable information from plugin users using the HubSpot integration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

NVDincsub/forminator< 1.29.2

Patches

Patch: plugins.trac.wordpress.org

🔴Vulnerability Details

2
CVEList
Forminator <= 1.29.1 - HubSpot Developer API Key Sensitive Information Exposure2024-08-02
GHSA
GHSA-q46j-26g9-j9w4: The Forminator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 12024-08-02
CVE-2024-7389 — Insufficiently Protected Credentials | cvebase