CVE-2026-25431

Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.1 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
7.8.10.2
Patched in
8d
Time to patch

Description

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 7.8.10.1. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=7.8.10.1
PublishedMay 12, 2026
Last updatedMay 19, 2026
Affected pluginwordpress-popup

What Changed in the Fix

Changes introduced in v7.8.10.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-25431**, a missing authorization vulnerability in the Hustle plugin for WordPress. ### 1. Vulnerability Summary The Hustle plugin (<= 7.8.10.1) is vulnerable to unauthorized access because the `hustle_dismiss_notification` AJAX action (and potentia…

Show full research plan

This exploitation research plan targets CVE-2026-25431, a missing authorization vulnerability in the Hustle plugin for WordPress.

1. Vulnerability Summary

The Hustle plugin (<= 7.8.10.1) is vulnerable to unauthorized access because the hustle_dismiss_notification AJAX action (and potentially others like tracking updates) is registered using wp_ajax_nopriv_ but fails to implement a capability check (e.g., current_user_can( 'manage_options' )). This allows unauthenticated attackers to perform actions intended for administrators, such as dismissing site-wide notifications or manipulating plugin state.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: hustle_dismiss_notification
  • Authentication: None required (unauthenticated).
  • Payload Parameter: name (the identifier of the notification to dismiss).
  • Precondition: The plugin must be active. The target action must be registered in the wp_ajax_nopriv_ hook.

3. Code Flow

  1. Frontend Entry: The JavaScript in assets/js/admin.min.js (specifically within Hustle.define("Modals.Welcome", ...) at module 197) triggers the dismissal.
  2. Request Construction: The dismissModal function sends a POST request to `ajaxurl

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.