So we all know HubSpot and what they do. They (or someone) released a plugin called “HubSpot for WordPress”. This plugin included some awesome features. Not too long ago, I went to look for the plugin in the repo and it was gone. From years in the WP world, this does not happen with a simple request.
I resorted in downloading a backup version I had on hand from another project. Being a curious person, I decided to poke around in the code and what I found was jaw dropping.
There is a set of standards, guidelines and best practices that are used when creating a theme and or plugin for WordPress and clearly, I do not think someone got the memo.
Here is why feel this way about this plugin and am happy that it has been removed:
- Files can be accessed directly and some even accept outside parameters.
- Un sanitized parameters can be fed to exposed files.
- wp-load.php is called directly and makes the assumption that the WP install in not in a sub directory and that all files are standard.
It is hard for me to believe that a company like HubSpot would release a plugin with such high disregard to security and standards. With this said, I would love to see the plugin reworked and put back in the .ORG repo but it will need a lot of work.
If you are using this plugin, please deactivate for security purposes. You can find the article from HubSpot on how to migrate to the new “simplified” (everything removed) HubSpot Tracking Code by visiting the link below.
If you have any questions or concerns about the plugin, I would be happy to answer them.