WordPress Plugin Vulnerabilities

Hustle – Email Marketing, Lead Generation, Optins, Popups < 7.8.11 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation

Description

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics.

Affects Plugins

Plugin icon
wordpress-popup
Fixed in 7.8.11

References

CVE
CVE-2026-2263
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Nguyen C
Verified
No
WPVDB ID
94fc0390-e3f0-4ad4-b970-61065af5e498

Timeline

Publicly Published
2026-04-07 (about 1 month ago)
Added
2026-04-07 (about 1 month ago)
Last Updated
2026-04-08 (about 1 month ago)

Other

Published
Title
Published
2025-03-27
Title
Cool Author Box < 3.0.0 - Missing Authorization
Published
2024-05-22
Title
Atarim < 3.30 - Unauthenticated Settings Update, Post Deletion etc
Published
2023-10-18
Title
Headline Analyzer < 1.3.2 - Missing Authorization via REST APIs
Published
2024-06-06
Title
Extra Product Options for WooCommerce < 3.0.7 - Missing Authorization
Published
2025-04-02
Title
Rich Text Editor <= 1.0.1 - Missing Authorization