CVE-2026-0911
Unknown Unknown - Not Provided
Arbitrary File Upload in Hustle WordPress Plugin Enables RCE

Publication date: 2026-01-24

Last updated on: 2026-01-24

Assigner: Wordfence

Description
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-01-24
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0911
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
the_hustle email_marketing_plugin to 7.8.9.2 (inc)
unknown_vendor wordpress-popup 7.8.9.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Hustle WordPress plugin (up to version 7.8.9.2) and allows authenticated users with low privileges (such as Subscriber-level) to upload arbitrary files to the server due to improper file type validation in the action_import_module() function. Exploiting this requires an admin to grant module permissions or edit access to the low-privileged user, enabling them to access the Hustle admin page and obtain the necessary nonce. This arbitrary file upload can potentially lead to remote code execution on the affected server.

Impact Analysis

If exploited, this vulnerability can allow an attacker with low-level access to upload malicious files to your server, which may lead to remote code execution. This means the attacker could execute arbitrary code on your server, potentially compromising the entire website, stealing data, defacing the site, or using the server for further attacks.

Mitigation Strategies

To mitigate this vulnerability, immediately update the Hustle plugin for WordPress to version 7.8.9.3 or later, which includes fixes addressing the arbitrary file upload issue. Additionally, restrict or review permissions to ensure that low-privileged users do not have access to Hustle module permissions or module edit access, preventing them from exploiting the vulnerability. Applying the update that enhances nonce verification and fixes related security issues is critical. [2]

Detection Guidance

Detection of this vulnerability involves checking if the affected WordPress site is running the Hustle plugin version 7.8.9.2 or earlier and if low-privileged users have been granted Hustle module permissions or module edit access. Since the vulnerability allows arbitrary file uploads via the action_import_module() function, monitoring for unusual file upload activity on the Hustle admin page could help. However, no specific detection commands or network signatures are provided in the available resources. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0911. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart