by vicarius
log in join community
by @secatgourity
05 Aug 2024
#novel_exploit_analysis

An exploitation of a CVE vulnerability that has no prior exploit

publish

Novel Exploit: Stealing secrets from Forminator (CVE-2024-7389)

by @secatgourity
by @secatgourity
05 Aug 2024
#novel_exploit_analysis

An exploitation of a CVE vulnerability that has no prior exploit

publish

Novel Exploit: Stealing secrets from Forminator (CVE-2024-7389)

OS

Kali Linux
Kali LinuxKali
2024.1.*
2020.3.*
2019.4.*

Apps

FCF
Forminator Contact Form, Poll & Quiz BuilderWpmudev
*.*

Screenshots from the blog posts

images/clzfq4hxwy1fj1in9da7e98pd.jpgimages/clzfq4hxwy1fj1in9da7e98pd.jpg

Summary

In this post, we will exploit the latest issue with the Forminator plugin where an unuathenticated attacker can steal HubSpot's CLIENT_SECRET and the HAPIKEY from the codebase, leading to an attacker making unauthorized changes to the developer's hubspot account or expose their PII.

general

Description

Tags

#exposed_to_sensitive_information_disclosure#opensource#wordpress#sensitive-data-disclosure#forminator#hardcoded-secrets

@secatgourity

190 posts

Total vcoins

0

Social media links

Comments (0)