WP-Safety

Hustle – Email Marketing, Lead Generation, Optins, Popups Security & Risk Analysis

wordpress.org/plugins/wordpress-popup

Setup email optin forms, popups, newsletter forms & subscription forms to generate email leads with the best marketing popup builder

90K active installs v7.8.10.2 PHP 7.4+ WP 6.4+ Updated Feb 13, 2026
marketingnewsletteroptinpopupsubscription-form
88
A · Safe
CVEs total8
Unpatched0
Last CVEJan 25, 2026
Plugin page Download
Safety Verdict

Is Hustle – Email Marketing, Lead Generation, Optins, Popups Safe to Use in 2026?

Generally Safe

Score 88/100

Hustle – Email Marketing, Lead Generation, Optins, Popups has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jan 25, 2026Updated 1mo ago
Risk Assessment

The 'wordpress-popup' plugin v7.8.10.2 exhibits a concerning security posture, despite some positive indications in static analysis. While the vast majority of SQL queries are prepared and output escaping is generally strong, the plugin presents a significant attack surface with 40 unprotected AJAX handlers. This is a major weakness that could allow unauthenticated users to trigger potentially malicious actions. The taint analysis revealed one flow with unsanitized paths, which, although not rated as critical or high, still warrants attention as it indicates a potential avenue for injection vulnerabilities.

The vulnerability history is a significant red flag. With a total of 8 known CVEs, including 3 high and 5 medium severity vulnerabilities, and the last one being in 2026, it suggests a recurring pattern of security flaws. The types of past vulnerabilities, such as exposure of sensitive information, unrestricted file uploads, missing authorization, XSS, and injection, directly correlate with the uncovered attack surface and taint flow issues. This historical data strongly suggests a history of poor security practices or insufficient remediation.

In conclusion, while the plugin demonstrates good practices in SQL preparation and output escaping, the large number of unprotected AJAX endpoints, a detected unsanitized path flow, and a history of severe vulnerabilities significantly outweigh these strengths. The plugin should be considered a high-risk component until these critical issues are addressed and a sustained period of vulnerability-free updates is observed. The lack of currently unpatched CVEs is a positive sign, but the historical pattern and present static analysis findings demand caution.

Key Concerns

  • 40 unprotected AJAX handlers
  • 1 flow with unsanitized paths (taint analysis)
  • 3 high severity CVEs historically
  • 5 medium severity CVEs historically
  • Large attack surface (50 entry points)
Vulnerabilities
8

Hustle – Email Marketing, Lead Generation, Optins, Popups Security Vulnerabilities

CVEs by Year

1 CVE in 2019
2019
1 CVE in 2023
2023
4 CVEs in 2024
2024
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
3
Medium
5

8 total CVEs

CVE-2026-24998medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Hustle <= 7.8.9.2 - Unauthenticated Information Exposure

Jan 25, 2026 Patched in 7.8.9.3 (9d)
CVE-2026-0911high · 7.5Unrestricted Upload of File with Dangerous Type

Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import

Jan 23, 2026 Patched in 7.8.9.3 (1d)
CVE-2024-10580medium · 5.3Missing Authorization

Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unauthorized Form Submission

Nov 26, 2024 Patched in 7.8.6 (1d)
CVE-2024-10579medium · 4.3Missing Authorization

Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unpublished Form Exposure

Nov 25, 2024 Patched in 7.8.6 (1d)
CVE-2024-8492medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hustle <= 7.8.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jul 29, 2024 Patched in 7.8.5 (75d)
CVE-2024-0368high · 8.6Insufficiently Protected Credentials

Hustle <= 7.8.3 - Sensitive Information Exposure via Exposed Hubspot API Keys

Mar 12, 2024 Patched in 7.8.4 (140d)
WF-e74be387-1413-49c5-91c6-66e620562b42-wordpress-popupmedium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Hustle <= 7.6.4 = Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 6, 2023 Patched in 7.6.6 (292d)
CVE-2019-11872high · 7.8Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Hustle <= 6.0.7 - Unauthenticated CSV Injection

May 24, 2019 Patched in 6.0.8.1 (1705d)
Code Analysis
Analyzed Mar 16, 2026

Hustle – Email Marketing, Lead Generation, Optins, Popups Code Analysis

Dangerous Functions
0
Raw SQL Queries
18
174 prepared
Unescaped Output
25
3095 escaped
Nonce Checks
10
Capability Checks
22
File Operations
5
External Requests
36
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

91% prepared192 total queries

Output Escaping

99% escaped3120 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

3 flows1 with unsanitized paths
action_import_module (inc\hustle-modules-common-admin-ajax.php:370)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
40 unprotected

Hustle – Email Marketing, Lead Generation, Optins, Popups Attack Surface

Entry Points50
Unprotected40

AJAX Handlers 47

authwp_ajax_hustle_dismiss_notificationinc\class-hustle-notifications.php:73
authwp_ajax_hustle_hide_tutorialsinc\class-hustle-tutorials-page.php:33
authwp_ajax_hustle_get_wp_dashboard_widget_datainc\class-hustle-wp-dashboard-page.php:44
authwp_ajax_hustle_module_viewedinc\front\hustle-module-front-ajax.php:19
noprivwp_ajax_hustle_module_viewedinc\front\hustle-module-front-ajax.php:20
authwp_ajax_hustle_module_form_submitinc\front\hustle-module-front-ajax.php:23
noprivwp_ajax_hustle_module_form_submitinc\front\hustle-module-front-ajax.php:24
authwp_ajax_hustle_update_network_sharesinc\front\hustle-module-front-ajax.php:27
noprivwp_ajax_hustle_update_network_sharesinc\front\hustle-module-front-ajax.php:28
authwp_ajax_hustle_module_convertedinc\front\hustle-module-front-ajax.php:31
noprivwp_ajax_hustle_module_convertedinc\front\hustle-module-front-ajax.php:32
authwp_ajax_hustle_sshare_click_countedinc\front\hustle-module-front-ajax.php:35
noprivwp_ajax_hustle_sshare_click_countedinc\front\hustle-module-front-ajax.php:36
authwp_ajax_hustle_unsubscribe_form_submissioninc\front\hustle-module-front-ajax.php:39
noprivwp_ajax_hustle_unsubscribe_form_submissioninc\front\hustle-module-front-ajax.php:40
authwp_ajax_hustle_module_display_despite_static_cacheinc\front\hustle-module-front-ajax.php:43
noprivwp_ajax_hustle_module_display_despite_static_cacheinc\front\hustle-module-front-ajax.php:44
authwp_ajax_hustle_render_unsubscribe_forminc\front\hustle-module-front.php:70
authwp_ajax_hustle_migrate_trackinginc\hustle-migration.php:94
authwp_ajax_hustle_save_moduleinc\hustle-modules-common-admin-ajax.php:21
authwp_ajax_hustle_fetch_font_familiesinc\hustle-modules-common-admin-ajax.php:23
authwp_ajax_hustle_create_new_moduleinc\hustle-modules-common-admin-ajax.php:25
authwp_ajax_hustle_preview_moduleinc\hustle-modules-common-admin-ajax.php:26
authwp_ajax_hustle_tracking_datainc\hustle-modules-common-admin-ajax.php:27
authwp_ajax_hustle_listing_bulkinc\hustle-modules-common-admin-ajax.php:30
authwp_ajax_hustle_module_handle_single_actioninc\hustle-modules-common-admin-ajax.php:33
authwp_ajax_hustle_render_moduleinc\hustle-modules-common-admin-ajax.php:36
authwp_ajax_hustle_get_module_id_by_shortcodeinc\hustle-modules-common-admin-ajax.php:37
authwp_ajax_get_new_condition_idsinc\hustle-modules-common-admin-ajax.php:40
authwp_ajax_hustle_remove_ipsinc\hustle-settings-admin-ajax.php:18
authwp_ajax_hustle_reset_settingsinc\hustle-settings-admin-ajax.php:19
authwp_ajax_hustle_load_recaptcha_previewinc\hustle-settings-admin-ajax.php:22
authwp_ajax_hustle_handle_palette_actionsinc\hustle-settings-admin-ajax.php:25
authwp_ajax_hustle_save_settingsinc\hustle-settings-admin-ajax.php:28
authwp_ajax_hustle_provider_get_providersinc\provider\class-hustle-provider-admin-ajax.php:68
authwp_ajax_hustle_provider_get_form_providersinc\provider\class-hustle-provider-admin-ajax.php:69
authwp_ajax_hustle_provider_deactivateinc\provider\class-hustle-provider-admin-ajax.php:70
authwp_ajax_hustle_provider_is_on_moduleinc\provider\class-hustle-provider-admin-ajax.php:71
authwp_ajax_hustle_provider_settingsinc\provider\class-hustle-provider-admin-ajax.php:72
authwp_ajax_hustle_provider_form_settingsinc\provider\class-hustle-provider-admin-ajax.php:73
authwp_ajax_hustle_provider_form_deactivateinc\provider\class-hustle-provider-admin-ajax.php:74
authwp_ajax_hustle_refresh_email_listsinc\provider\class-hustle-provider-admin-ajax.php:75
authwp_ajax_hustle_provider_insert_local_listinc\provider\class-hustle-provider-admin-ajax.php:76
authwp_ajax_hustle_provider_migrate_aweberinc\provider\class-hustle-provider-admin-ajax.php:77
authwp_ajax_hustle_provider_migrate_constantcontactinc\provider\class-hustle-provider-admin-ajax.php:78
authwp_ajax_hustle_provider_migrate_infusionsoftinc\provider\class-hustle-provider-admin-ajax.php:79
authwp_ajax_hustle_mailchimp_get_group_interestsinc\providers\mailchimp\hustle-mailchimp.php:113

Shortcodes 3

[wd_hustle_cc] inc\front\hustle-module-front.php:168
[wd_hustle_ss] inc\front\hustle-module-front.php:174
[wd_hustle_unsubscribe] inc\front\hustle-module-front.php:180
WordPress Hooks 105
actionadmin_menuinc\class-hustle-admin-page-abstract.php:93
actionadmin_initinc\class-hustle-admin-page-abstract.php:120
actionadmin_enqueue_scriptsinc\class-hustle-admin-page-abstract.php:172
actionadmin_print_stylesinc\class-hustle-admin-page-abstract.php:173
filteradmin_body_classinc\class-hustle-admin-page-abstract.php:174
filterremovable_query_argsinc\class-hustle-admin-page-abstract.php:175
filtertiny_mce_before_initinc\class-hustle-admin-page-abstract.php:476
filterwp_default_editorinc\class-hustle-admin-page-abstract.php:477
filtertiny_mce_pluginsinc\class-hustle-admin-page-abstract.php:478
filtermce_buttonsinc\class-hustle-admin-page-abstract.php:479
actioninitinc\class-hustle-cross-sell.php:25
actionadmin_initinc\class-hustle-module-admin.php:37
actionadmin_menuinc\class-hustle-module-admin.php:40
actionadmin_print_stylesinc\class-hustle-module-admin.php:41
actionadmin_print_footer_scriptsinc\class-hustle-module-admin.php:42
filterw3tc_save_optionsinc\class-hustle-module-admin.php:45
filterplugin_action_linksinc\class-hustle-module-admin.php:46
filternetwork_admin_plugin_action_linksinc\class-hustle-module-admin.php:47
filterplugin_row_metainc\class-hustle-module-admin.php:48
actionupgrader_process_completeinc\class-hustle-module-admin.php:50
filtersubmenu_fileinc\class-hustle-module-page-abstract.php:103
actionadmin_headinc\class-hustle-module-page-abstract.php:105
actionadmin_menu_editor-menu_replacedinc\class-hustle-module-page-abstract.php:108
filterremovable_query_argsinc\class-hustle-module-page-abstract.php:144
actionadmin_enqueue_scriptsinc\class-hustle-module-page-abstract.php:145
actionadmin_initinc\class-hustle-module-page-abstract.php:221
actionadmin_enqueue_scriptsinc\class-hustle-module-page-abstract.php:228
actionadmin_enqueue_scriptsinc\class-hustle-module-page-abstract.php:233
filteruser_can_richeditinc\class-hustle-module-page-abstract.php:236
filtermce_buttonsinc\class-hustle-module-page-abstract.php:242
filtermce_external_pluginsinc\class-hustle-module-page-abstract.php:244
actionadmin_footerinc\class-hustle-module-page-abstract.php:342
actionadmin_initinc\class-hustle-notifications.php:65
actioncurrent_screeninc\class-hustle-notifications.php:67
actionadmin_noticesinc\class-hustle-notifications.php:85
actionadmin_noticesinc\class-hustle-notifications.php:89
actionadmin_noticesinc\class-hustle-notifications.php:93
actionadmin_noticesinc\class-hustle-notifications.php:97
actionadmin_noticesinc\class-hustle-notifications.php:100
actionadmin_noticesinc\class-hustle-notifications.php:102
actionnetwork_admin_noticesinc\class-hustle-notifications.php:377
actionadmin_noticesinc\class-hustle-notifications.php:381
actionin_plugin_update_message-wordpress-popup/popover.phpinc\class-hustle-notifications.php:394
actionload-plugins.phpinc\class-hustle-notifications.php:397
actionafter_plugin_row_hustle/opt-in.phpinc\class-hustle-notifications.php:400
actionadmin_print_stylesinc\class-hustle-wp-dashboard-page.php:36
filteradmin_body_classinc\class-hustle-wp-dashboard-page.php:37
actionadmin_enqueue_scriptsinc\class-hustle-wp-dashboard-page.php:40
actionwp_dashboard_setupinc\class-hustle-wp-dashboard-page.php:42
actionafter_setup_themeinc\class-opt-in.php:78
actionadmin_initinc\class-opt-in.php:81
actionwp_enqueue_scriptsinc\front\class-hustle-module-preview.php:22
actionwp_footerinc\front\class-hustle-module-preview.php:24
actionpre_get_postsinc\front\class-hustle-module-preview.php:26
filterthe_titleinc\front\class-hustle-module-preview.php:28
filterthe_excerptinc\front\class-hustle-module-preview.php:31
filterthe_contentinc\front\class-hustle-module-preview.php:33
filtershow_admin_barinc\front\class-hustle-module-preview.php:37
actionhustle_send_emailinc\front\hustle-module-front.php:66
actionhustle_aweber_token_refreshinc\front\hustle-module-front.php:67
actionpost_updatedinc\front\hustle-module-front.php:107
actionwp_enqueue_scriptsinc\front\hustle-module-front.php:117
actionwp_footerinc\front\hustle-module-front.php:123
actionwp_headinc\front\hustle-module-front.php:128
actiontemplate_redirectinc\front\hustle-module-front.php:130
actiontemplate_redirectinc\front\hustle-module-front.php:136
filterget_the_excerptinc\front\hustle-module-front.php:138
filterwp_trim_excerptinc\front\hustle-module-front.php:139
filterthe_contentinc\front\hustle-module-front.php:141
filterrun_ngg_resource_managerinc\front\hustle-module-front.php:148
actionwidgets_initinc\front\hustle-module-front.php:163
filterthe_contentinc\front\hustle-module-front.php:204
actionwp_footerinc\front\hustle-module-front.php:870
actionwp_footerinc\front\hustle-renderer-abstract.php:111
actionwp_headinc\front\hustle-renderer-abstract.php:113
filterforminator_render_shortcode_is_previewinc\front\hustle-renderer-abstract.php:252
filterremovable_query_argsinc\hustle-entries-admin.php:142
actionadmin_enqueue_scriptsinc\hustle-entries-admin.php:216
actionhustle_general_data_protection_cleanupinc\hustle-general-data-protection.php:53
filterwp_privacy_personal_data_erasersinc\hustle-general-data-protection.php:54
filterwp_privacy_personal_data_exportersinc\hustle-general-data-protection.php:55
actioninitinc\hustle-migration.php:97
filterupload_mimesinc\hustle-modules-common-admin-ajax.php:416
filtermce_external_pluginsinc\hustle-settings-page.php:48
actionadmin_enqueue_scriptsinc\hustle-settings-page.php:50
actionadmin_enqueue_scriptsinc\hustle-settings-page.php:52
actionadmin_print_stylesinc\hustle-sshare-admin.php:75
actionwp_insert_siteinc\multisite\class-hustle-multisite.php:21
filterhttp_headers_useragentinc\providers\campaignmonitor\hustle-campaignmonitor-api.php:117
actioninitinc\providers\constantcontact\hustle-constantcontact.php:125
actionenqueue_block_editor_assetsinc\providers\gutenberg\abstract-block.php:52
actioninitinc\providers\gutenberg\gutenberg.php:9
filterblock_categories_allinc\providers\gutenberg\gutenberg.php:10
actioncurrent_screeninc\providers\gutenberg\gutenberg.php:23
actionwpinc\providers\gutenberg\gutenberg.php:24
actioninitinc\providers\hubspot\hustle-hubspot-api.php:54
actioninitinc\providers\infusionsoft\hustle-infusion-soft-oauth.php:19
filterhustle_format_submitted_datainc\providers\mailchimp\hustle-mailchimp-form-hooks.php:24
filterhttp_headers_useragentinc\providers\mautic\hustle-mautic-api.php:136
filterhttp_headers_useragentinc\providers\sendinblue\hustle-sendinblue-api.php:134
actioninitinc\update\class-hustle-410-migration.php:62
actioninitinc\update\class-hustle-430-migration.php:76
actionadmin_noticespopover.php:92
actionactivated_pluginpopover.php:98
actionafter_setup_themepopover.php:150

Scheduled Events 2

hustle_send_email
hustle_general_data_protection_cleanup
Maintenance & Trust

Hustle – Email Marketing, Lead Generation, Optins, Popups Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 13, 2026
PHP min version7.4
Downloads4.4M

Community Trust

Rating88/100
Number of ratings855
Active installs90K
Alternatives

Hustle – Email Marketing, Lead Generation, Optins, Popups Alternatives

SendPulse Email Marketing Newsletter

SendPulse Email Marketing Newsletter

sendpulse-email-marketing-newsletter

A
96

Add a customizable email subscription form to your site, send newsletters, and automate email campaigns with autoresponders using SendPulse.

1K 3 CVEs
Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

optinmonster

A
96

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M 6 CVEs
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder

popup-maker

A
91

Want to boost sales & marketing efforts? Use your favorite forms & builder. Unlimited popups & impressions, keep your data, no monthly subscription.

700K 18 CVEs
Advanced Popups

Advanced Popups

advanced-popups

A
100

Display high-converting newsletter popups, a cookie notice, or a notification with the light-weight yet feature-rich plugin.

70K 1 CVE
Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

sender-net-automated-emails

A
99

Sender is an all-in-one email & SMS marketing platform designed keeping the challenges of ecommerce and small businesses in mind.

5K 2 CVEs
Developer Profile

Hustle – Email Marketing, Lead Generation, Optins, Popups Developer Profile

WPMU DEV - Your All-in-One WordPress Platform

9 plugins · 2.4M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
396 days
View full developer profile
Detection Fingerprints

How We Detect Hustle – Email Marketing, Lead Generation, Optins, Popups

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wordpress-popup/assets/css/admin-style.css/wp-content/plugins/wordpress-popup/assets/css/animate.min.css/wp-content/plugins/wordpress-popup/assets/css/owl.carousel.min.css/wp-content/plugins/wordpress-popup/assets/js/admin-script.js/wp-content/plugins/wordpress-popup/assets/js/owl.carousel.min.js/wp-content/plugins/wordpress-popup/assets/js/popper.min.js/wp-content/plugins/wordpress-popup/assets/js/bootstrap.min.js
Script Paths
/wp-content/plugins/wordpress-popup/assets/js/admin-script.js
Version Parameters
wordpress-popup/assets/css/admin-style.css?ver=wordpress-popup/assets/css/animate.min.css?ver=wordpress-popup/assets/css/owl.carousel.min.css?ver=wordpress-popup/assets/js/admin-script.js?ver=wordpress-popup/assets/js/owl.carousel.min.js?ver=wordpress-popup/assets/js/popper.min.js?ver=wordpress-popup/assets/js/bootstrap.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
hustle-modulehustle-popuphustle-slideinhustle-widgethustle-inlinehustle-settings-pagehustle-dashboard-widget
HTML Comments
<!-- Hustle Module --><!-- Hustle Popup --><!-- Hustle Settings Page -->
Data Attributes
data-hustle-iddata-hustle-moduledata-hustle-typedata-hustle-close-timedata-hustle-animation
JS Globals
HustleAdminHustleFrontendhustle_scripts_paramshustle_frontend_params
REST Endpoints
/wp-json/hustle/v1/modules/wp-json/hustle/v1/settings/wp-json/hustle/v1/analytics
Shortcode Output
[hustle_shortcode_tag]
FAQ

Frequently Asked Questions about Hustle – Email Marketing, Lead Generation, Optins, Popups