CVE-2026-0911

Name of the Vulnerable Software and Affected Versions Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress versions up to and including 7.8.9.2

Description The Hustle plugin for WordPress is affected by a file upload issue. Incorrect file type validation within the action import module() function allows authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the server. Successful exploitation requires an administrator to grant the attacker Hustle module permissions or module edit access to obtain a necessary nonce. This could potentially lead to remote code execution.

Recommendations Versions prior to and including 7.8.9.2 should be updated.