[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhBkcfPCIIBhl5UCetLnX_fhiPe-ASyZL4Zf2MrR_Pw0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":32,"research_started_at":33,"research_completed_at":34,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":35},"CVE-2026-2263","hustle-email-marketing-lead-generation-optins-popups-missing-authorization-to-unauthenticated-conversion-tracking-data-m","Hustle – Email Marketing, Lead Generation, Optins, Popups \u003C= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation","The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics.","wordpress-popup",null,"\u003C=7.8.10.2","7.8.11","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-07 10:52:41","2026-04-07 23:25:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F2305462c-0a00-4423-8dc2-e32628c4864d?source=api-prod",1,[22,23,24,25,26,27],"assets\u002Fjs\u002Fadmin.min.js","assets\u002Fjs\u002Ffront.min.js","inc\u002Fclass-hustle-admin-page-abstract.php","inc\u002Fclass-hustle-module-page-abstract.php","inc\u002Fclass-hustle-notifications.php","inc\u002Fclass-hustle-tutorials-page.php","researched",false,3,"# Research Plan: CVE-2026-2263 - Hustle Email Marketing Missing Authorization\n\n## 1. Vulnerability Summary\nThe **Hustle – Email Marketing, Lead Generation, Optins, Popups** plugin for WordPress is vulnerable to **Missing Authorization** in its conversion tracking logic. Specifically, the AJAX action `hustle_module_converted` (handled via `wp_ajax_nopriv_hustle_module_converted`) lacks sufficient capability checks and validation. This allows unauthenticated attackers to programmatically submit conversion events for any module ID, including draft or private modules, leading to the manipulation of marketing analytics and conversion statistics.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action**: `hustle_module_converted`\n- **Method**: POST\n- **Authentication**: None (Unauthenticated via `nopriv` registration)\n- **Parameters**:\n    - `action`: `hustle_module_converted` (Required)\n    - `id`: The integer ID of the Hustle module (e.g., popup or slide-in ID).\n    - `module_id`: Often used interchangeably with `id`.\n    - `module_type`: The type of module (e.g., `popup`, `slidein`, `embedded`).\n    - `nonce`: A security nonce, typically localized on the frontend.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point**: A POST request is sent to `admin-ajax.php` with `action=hustle_module_converted`.\n2.  **Hook Registration**: The plugin registers `add_action( 'wp_ajax_nopriv_hustle_module_converted', ... )` and `add_action( 'wp_ajax_hustle_module_converted', ... )`, pointing to a handler (likely in `inc\u002Fclass-hustle-ajax.php` or `inc\u002Fhustle-functions.php`).\n3.  **Vulnerable Handler**: The handler function retrieves the `module_id` and `module_type` from the request.\n4.  **Missing Authorization**: The code fails to verify if the user has permissions to modify tracking data or, more importantly, fails to verify if the targeted `module_id` is currently **published** and **active**. \n5.  **Sink**: The plugin calls a tracking method (e.g., `Hustle_Tracking::save_tracking()`) which executes a database query (usually on the `{$wpdb->prefix}hustle_tracking` table) to increment the conversion count.\n\n## 4. Nonce Acquisition Strategy\nHustle localizes tracking nonces for frontend use. To obtain a valid nonce unauthenticated:\n1.  **Identify\u002FCreate a Trigger**: Navigate to any page where a Hustle module is active. If no module is active, we can create a simple published popup.\n2.  **Locate Nonce Variable**: Hustle enqueues scripts that include a global variable containing the nonce.\n    - **JS Object**: `hustle_front_vars` (inferred from standard Hustle frontend localization).\n    - **Key**: `ajax_nonce`.\n3.  **Extraction Method**:\n    - Navigate to the WordPress site.\n    - Use `browser_eval` to extract the nonce: `window.hustle_front_vars?.ajax_nonce`.\n\n## 5. Exploitation Strategy\n\n### Step 1: Discover Target Module ID\nIdentify a module ID to target. This can be an existing popup or a newly created draft.\n- **WP-CLI**: `wp post list --post_type=hustle_popup --post_status=draft`\n\n### Step 2: Obtain Frontend Nonce\nNavigate to the homepage and extract the nonce.\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002F`\n- **JS**: `window.hustle_front_vars.ajax_nonce`\n\n### Step 3: Forge Conversion Request\nSend a POST request to increment the conversion counter for the target ID.\n- **URL**: `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Payload**:\n    ```\n    action=hustle_module_converted&id=[MODULE_ID]&module_id=[MODULE_ID]&module_type=popup&nonce=[NONCE]\n    ```\n- **Note**: The `module_type` must match the actual type of the module (popup, slidein, etc.).\n\n## 6. Test Data Setup\n1.  **Create a Draft Popup**:\n    ```bash\n    wp post create --post_type=hustle_popup --post_title=\"Hidden Draft\" --post_status=draft\n    ```\n    *Note: Capture the ID from the output.*\n2.  **Create a Public Popup (for Nonce)**:\n    ```bash\n    wp post create --post_type=hustle_popup --post_title=\"Public Trigger\" --post_status=publish\n    ```\n3.  **Verify Initial Stats**:\n    Check the tracking table (if accessible) or use the plugin's internal methods via CLI to see conversion counts for the Draft ID.\n\n## 7. Expected Results\n- The AJAX request should return a successful response (likely `{\"success\":true}` or a JSON object containing the new count).\n- The conversion statistics for the targeted module (including the draft) will increment in the database.\n\n## 8. Verification Steps\n1.  **Database Inspection**:\n    Query the tracking table directly to see if the count for the specific `module_id` increased.\n    ```bash\n    wp db query \"SELECT count FROM $(wp db prefix)hustle_tracking WHERE module_id=[ID] AND type='conversion'\"\n    ```\n2.  **UI Verification**:\n    If access to the admin dashboard is available, navigate to the Hustle \"Popups\" list and check the \"Conversions\" column for the Draft module.\n\n## 9. Alternative Approaches\n- **Module Types**: If `popup` does not work, try `slidein`, `embedded`, or `social_sharing`.\n- **Bulk Manipulation**: Attempt to send a loop of requests to significantly inflate the numbers (e.g., 100 conversions) to confirm the lack of rate limiting or authorization.\n- **Param Variation**: If `id` fails, ensure `module_id` is present, as some versions of the plugin transition between these parameter names.","gemini-3-flash-preview","2026-04-17 20:55:37","2026-04-17 20:56:22",{"type":36,"vulnerable_version":37,"fixed_version":11,"vulnerable_browse":38,"vulnerable_zip":39,"fixed_browse":40,"fixed_zip":41,"all_tags":42},"plugin","7.8.10.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-popup\u002Ftags\u002F7.8.10.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-popup.7.8.10.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-popup\u002Ftags\u002F7.8.11","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-popup.7.8.11.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-popup\u002Ftags"]