{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24998", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:50:57.103Z", "datePublished": "2026-02-03T14:08:38.085Z", "dateUpdated": "2026-04-28T16:14:52.960Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wordpress-popup", "product": "Hustle", "vendor": "WPMU DEV - Your All-in-One WordPress Platform", "versions": [{"changes": [{"at": "7.8.9.3", "status": "unaffected"}], "lessThanOrEqual": "7.8.9.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:01.915Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.<p>This issue affects Hustle: from n/a through <= 7.8.9.2.</p>"}], "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.This issue affects Hustle: from n/a through <= 7.8.9.2."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:52.960Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wordpress-popup/vulnerability/wordpress-hustle-plugin-7-8-9-2-sensitive-data-exposure-vulnerability?_s_id=cve"}], "title": "WordPress Hustle plugin <= 7.8.9.2 - Sensitive Data Exposure vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:52:48.153965Z", "id": "CVE-2026-24998", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:42:31.485Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24998", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:52:48.153965Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:50:49.442Z"}}], "cna": {"title": "WordPress Hustle plugin <= 7.8.9.2 - Sensitive Data Exposure vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bao - BlueRock | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPMU DEV - Your All-in-One WordPress Platform", "product": "Hustle", "versions": [{"status": "affected", "changes": [{"at": "7.8.9.3", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "7.8.9.2"}], "packageName": "wordpress-popup", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:33.865Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wordpress-popup/vulnerability/wordpress-hustle-plugin-7-8-9-2-sensitive-data-exposure-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.This issue affects Hustle: from n/a through <= 7.8.9.2.", "supportingMedia": [{"type": "text/html", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.<p>This issue affects Hustle: from n/a through <= 7.8.9.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-497", "description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:47.936Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24998", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:42:31.485Z", "dateReserved": "2026-01-28T09:50:57.103Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-03T14:08:38.085Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.This issue affects Hustle: from n/a through <= 7.8.9.2."}, {"lang": "es", "value": "Exposici\u00f3n de Informaci\u00f3n Sensible del Sistema a una Esfera de Control No Autorizada vulnerabilidad en WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup permite Recuperar Datos Sensibles Incrustados. Este problema afecta a Hustle: desde n/a hasta &lt;= 7.8.9.2."}], "id": "CVE-2026-24998", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-03T15:16:19.043", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wordpress-popup/vulnerability/wordpress-hustle-plugin-7-8-9-2-sensitive-data-exposure-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:13:44.391079+00:00", "value": {"mitigation_remediation": ["Upgrade the Hustle plugin to version 7.8.9.3 or later, which contains the remediation.", "If an upgrade is not immediately possible, disable or uninstall the Hustle plugin to eliminate the exposure pathway.", "Implement monitoring of web server logs for unusual requests to the plugin\u2019s data retrieval endpoints and perform regular security reviews of active plugins."], "summary": {"action": "Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Hustle popup plugin installed from the earliest available build up to version 7.8.9.2 are affected. The issue does not appear to be limited to particular WordPress themes or server configurations and applies to any site that uses the specified plugin versions.", "description_and_impact": "The WPMU DEV Hustle plugin through version 7.8.9.2 contains a flaw that enables any attacker, regardless of authentication, to retrieve embedded sensitive data. The vulnerability is classified as an exposure of sensitive system information to an unauthorized control sphere, allowing malicious actors to view data that should be restricted to site administrators. The primary impact is the unauthorized disclosure of confidential information, which can lead to compromise of site security and user privacy.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity flaw, and the EPSS score of less than 1% shows a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting that there are no known active attacks. However, the flaw can be exploited remotely through the plugin\u2019s exposed endpoints, and the lack of authentication checks directly increases the risk of sensitive data leakage."}}}}, "created": "2026-02-04T12:09:39.715888+00:00", "updated": "2026-04-16T01:15:20.539092+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpmudev", "wpmudev$PRODUCT$hustle"]}