{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0911", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-13T18:31:21.227Z", "datePublished": "2026-01-24T12:27:15.063Z", "dateUpdated": "2026-04-08T16:41:45.913Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:45.913Z"}, "affected": [{"vendor": "wpmudev", "product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce."}], "title": "Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "cweId": "CWE-434", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Williwollo"}], "timeline": [{"time": "2026-01-13T18:47:07.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-23T23:49:25.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T15:30:19.082687Z", "id": "CVE-2026-0911", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:44:15.167Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0911", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-26T15:30:19.082687Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T15:30:20.245Z"}}], "cna": {"title": "Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import", "credits": [{"lang": "en", "type": "finder", "value": "Williwollo"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "wpmudev", "product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.8.9.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-13T18:47:07.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-23T23:49:25.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup"}], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:45.913Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0911", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:41:45.913Z", "dateReserved": "2026-01-13T18:31:21.227Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-24T12:27:15.063Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce."}, {"lang": "es", "value": "El plugin The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups para WordPress es vulnerable a cargas de archivos arbitrarios debido a una validaci\u00f3n incorrecta del tipo de archivo en la funci\u00f3n action_import_module() en todas las versiones hasta, e incluyendo, la 7.8.9.2. Esto hace posible que atacantes autenticados, con un rol de menor privilegio (por ejemplo, acceso de nivel de Suscriptor y superior), carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecuci\u00f3n remota de c\u00f3digo. La explotaci\u00f3n exitosa requiere que un administrador otorgue permisos del m\u00f3dulo Hustle (o acceso de edici\u00f3n de m\u00f3dulo) al usuario de bajo privilegio para que puedan acceder a la p\u00e1gina de administraci\u00f3n de Hustle y obtener el nonce requerido."}], "id": "CVE-2026-0911", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-24T13:15:55.300", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:36:41.333788+00:00", "value": {"mitigation_remediation": ["Upgrade the Hustle plugin to the newest version available; the fix disables arbitrary file uploads and validates file types correctly.", "If an immediate update is not possible, remove or deactivate the Hustle plugin to eliminate the vulnerable functionality.", "Review the plugin\u2019s module permission settings and restrict import or edit capabilities to administrators only, preventing low\u2011privileged users from accessing the upload endpoint."], "summary": {"action": "Update Plugin", "impact": "Remote Code Execution via Arbitrary File Upload"}, "threat_synthesis": {"affected_systems": "This vulnerability affects installations of the Hustle plugin v7.8.9.2 and earlier, provided by wpmudev. The attack requires the plugin to be installed and activated on a WordPress site.", "description_and_impact": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress allows authenticated users with Subscriber-level access or higher to upload files through the action_import_module() function in all versions up to 7.8.9.2. Incorrect file type validation permits any file type, which can be exploited to upload code that the server can execute, resulting in remote code execution on the host.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity. EPSS is below 1%, so the likelihood of active exploitation is low, and the vulnerability is not currently listed in the CISA KEV catalog. An attacker must first attain the appropriate Hustle module permissions and an admin\u2011provided nonce to reach the upload functionality, but once achieved the impact can be significant."}}}}, "created": "2026-01-26T11:48:11.911469+00:00", "updated": "2026-04-15T21:45:14.145236+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpmudev", "wpmudev$PRODUCT$hustle"]}