MeldSecurity
Press Enter to search
CVE Database & Search →
Sign In Get Started

CVE-2026-0911

🔴 HIGH

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function...

Published
Jan 24, 2026
Last Modified
Jan 26, 2026
Views
44
Bookmarks
0

Description

Request Expert Review

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce.

CVSS Scores

CVSS 3.1 7.5
7.5
HIGH
CVSS 2.0 7.5

References

plugins.trac.wordpress.org www.wordfence.com

Additional Information

Source
security@wordfence.com
State
Awaiting analysis

Related CVEs

CVE-2026-1793

MEDIUM

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the...

Score: 6.5

CVE-2026-1750

HIGH

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7...

Score: 8.8

CVE-2026-1490

CRITICAL

The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an autho...

Score: 9.8

CVE-2026-2312

MEDIUM

The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the d...

Score: 4.3

CVE-2026-1512

MEDIUM

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the p...

Score: 6.4

CVE-2026-1843

HIGH

The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2....

Score: 7.2

Share CVE-2026-0911

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2026-0911 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis