HubSpot WordPress Plugin patched a Forgery vulnerability

WPScan and the United States Government National Vulnerability Database published a notice of a vulnerability. This vulnerability got discovered in the HubSpot WordPress plugin. The vulnerability exposed users of the plugin to a Server Side Request Forgery attack.

The security researchers at WPScan published the given report: “The plugin does not validate the proxy URL given to the proxy REST endpoint, which could allow users with the edit_posts capability (by default contributor and above) to perform SSRF attacks.”

The Open Web Application Security Project(OWASP) is a non-profit and worldwide organization. It works for software security. An SSRF vulnerability. This can result in the exposure of internal services that should not get exposed.OWASP states that in a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality.

This can result in reading or updating internal resources. Additionally, the attacker can supply or modify a URL to which the server will read or submit data.

Be careful selection of URLs; the attacker can read server configuration such as AWS metadata. In addition, it can connect internal services like HTTP-enabled databases. It can also perform post requests towards internal services, which should not get exposed.

The services that should not expose include Cloud server meta-data and Database HTTP interfaces. It also includes Internal REST interfaces and Files.

The HubSpot WordPress plugin is under use by over 200,000 publishers. It provides CRM, live chat, analytics, and email marketing-related capabilities.

However, the changelog documents updated in the software show different data. It shows that the HubSpot WordPress plugin received additional updates to fix other vulnerabilities. The security firm WPScan and the National Vulnerability Database state that the vulnerability was in version 8.8.15.

On the other hand, the HubSpot plugin changelog suggests that there were security fixes till version 8.9.20. Therefore, it is better to update the HubSpot plugin to at least version 8.9.20. However, the latest version of the HubSpot WordPress plugin is version 8.11.0.