Hustle – Email Marketing, Lead Generation, Optins, Popups < 7.8.6 – Missing Authorization to Unauthorized Form Submission | CVE 2024-10580 | Plugin Vulnerabilities

Description

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.

Affects Plugins

wordpress-popup

Fixed in 7.8.6

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/3b2f8726-c4c4-4ed6-aa8d-4412cf5be061

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Vijaysimha Reddy (vijaysimha)

Verified

No

WPVDB ID

bb00e137-fca5-4c83-99f7-b3de7408b3a1

Timeline

Publicly Published

2024-11-26 (about 1 year ago)

Added

2024-11-26 (about 1 year ago)

Last Updated

2024-11-27 (about 1 year ago)

Other

Published

Title

Published

2026-03-04

Title

Membership Plugin – Restrict Content < 3.2.21 - Unauthenticated Privilege Escalation via 'rcp_level'

Published

2022-02-24

Title

Total Upkeep < 1.14.14 - Subscriber+ Backup Disclosure

Published

2024-08-22

Title

WBW Product Table Pro < 1.9.5 - Unauthenticated Arbitrary SQL Execution

Published

2025-08-19

Title

HAPPY – Helpdesk Support Ticket System < 1.0.7 - Missing Authorization

Published

2022-09-07

Title

Frontend File Manager < 21.3 - Unauthenticated File Renaming