HubSpot WordPress Plugin Vulnerability

WPScan and the United States Government National Vulnerability Database published a notice of a vulnerability discovered in the HubSpot WordPress plugin. The vulnerability exposes users of the plugin to a Server Side Request Forgery attack.

WPScan Vulnerability Report

The security researchers at WPScan published the following report:

“HubSpot < 8.8.15 – Contributor+ Blind SSRF

Description

The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks”

Server Side Request Forgery (SSRF) Vulnerability

This vulnerability requires that a contributor level subscriber be logged in for the exposure to happen.

The non-profit Open Web Application Security Project (OWASP), a worldwide organization dedicated to software security, an SSRF vulnerability can result in the exposure of internal services that are not meant to be exposed.

According to OWASP:

“In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources.

The attacker can supply or modify a URL which the code running on the server will read or submit data to, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like http enabled databases or perform post requests towards internal services which are not intended to be exposed.”

The services that aren’t supposed to be exposed are:

  • “Cloud server meta-data
  • Database HTTP interfaces
  • Internal REST interfaces
  • Files – The attacker may be able to read files using URIs”

HubSpot WordPress Plugin

The HubSpot WordPress plugin is used by over 200,000 publishers. It provides CRM, live chat, analytics and email marketing related capabilities.

The vulnerability discovered by WPScan notes that it was fixed in version 8.8.15.

However, the changelog that documents what was updated in the software shows that the HubSpot WordPress plugin received additional updates to fix other vulnerabilities.

Here is a list of the updates according to the official changelog, in order beginning with the oldest update:

= 8.8.15 (2022-04-07) = * Fix security issue related to proxy URL = 8.9.14 (2022-04-12) = * Fix security issue related to form inputs = 8.9.20 (2022-04-13) = * Fix security issue related to sanitizing inputs

While the security firm WPScan and the National Vulnerability Database state that vulnerability was fixed in version 8.8.15, according to the HubSpot plugin changelog, there were further security fixes all the way up to version 8.9.20.

So it my be prudent to update the HubSpot plugin to at least version 8.9.20, although the absolute latest version of the HubSpot WordPress plugin, as of this writing, is version 8.11.0.

Citations

Read WPScan Vulnerability Report

HubSpot < 8.8.15 – Contributor+ Blind SSRF

Read the National Vulnerability Database Report

CVE-2022-1239 Detail

Review the HubSpot WordPress Plugin Changelog

HubSpot WordPress Plugin Changelog