Hustle – Email Marketing, Lead Generation, Optins, Popups < 7.8.6 – Missing Authorization to Unpublished Form Exposure | CVE 2024-10579 | Plugin Vulnerabilities

Description

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms.

Affects Plugins

wordpress-popup

Fixed in 7.8.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ebd96d9c-c1ab-4a53-a52a-9fc2541482f2

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Vijaysimha Reddy (vijaysimha)

Verified

No

WPVDB ID

a1fa7ecb-6f75-48cf-a15f-d973d3e026fd

Timeline

Publicly Published

2024-11-25 (about 1 year ago)

Added

2024-11-25 (about 1 year ago)

Last Updated

2024-11-26 (about 1 year ago)

Other

Published

Title

Published

2023-12-06

Title

System Dashboard < 2.8.8 - Missing Authorization to Information Disclosure (sd_db_specs)

Published

2024-12-11

Title

Zita Site Builder <= 1.0.2 - Missing Authorization to Arbitrary Plugin Installation

Published

2026-01-29

Title

Konte < 2.4.7 - Missing Authorization

Published

2024-07-16

Title

Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.5 - Missing Authorization to Authenticated (Contributor+) Event Data Import

Published

2022-10-20

Title

Simple SEO < 1.8.13 - Subscriber+ Sitemap Creation/Deletion