Hustle < 7.8.9.3 – Subscriber+ Arbitrary File Upload via Module Import | CVE 2026-0911 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce.

Affects Plugins

wordpress-popup

Fixed in 7.8.9.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883

Miscellaneous

Original Researcher

Williwollo (CybrX)

Verified

No

WPVDB ID

a965c188-a35f-4efd-a3b3-bcfe8e0c57b2

Timeline

Publicly Published

2026-01-23 (about 3 months ago)

Added

2026-01-26 (about 3 months ago)

Last Updated

2026-01-26 (about 3 months ago)

Other

Published

Title

Published

2024-10-21

Title

3D Work In Progress <= 1.0.3 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2024-05-06

Title

Startklar Elementor Addons < 1.7.14 - Unauthenticated Arbitrary File Upload

Published

2024-09-30

Title

Wechat Social login <= 1.3.0 - Unauthenticated Arbitrary File Upload

Published

2025-12-04

Title

Demo Importer Plus < 2.0.7 - Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass

Published

2024-11-27

Title

File Manager Pro – Filester < 1.8.7- Authenticated (Subscriber+) Arbitrary File Upload