[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4YxwPA38vhp8vvJCmiKg0aG-_w9_Cg4U67dYAxZdBRI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":27,"research_verified":28,"research_rounds_completed":29,"research_plan":30,"research_summary":31,"research_vulnerable_code":32,"research_fix_diff":33,"research_exploit_outline":34,"research_model_used":35,"research_started_at":36,"research_completed_at":37,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":28,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":28,"source_links":38},"CVE-2026-24998","hustle-unauthenticated-information-exposure","Hustle \u003C= 7.8.9.2 - Unauthenticated Information Exposure","The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.9.2. This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.","wordpress-popup",null,"\u003C=7.8.9.2","7.8.9.3","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-01-25 00:00:00","2026-02-02 20:57:37",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4f555084-2dd5-4c48-ac0e-4e0bb562ac70?source=api-prod",9,[22,23,24,25,26],"assets\u002Fjs\u002Fadmin.min.js","inc\u002Fhustle-modules-common-admin-ajax.php","languages\u002Fhustle-en_US.po","popover.php","readme.txt","researched",false,3,"# Research Plan: CVE-2026-24998 - Hustle Unauthenticated Information Exposure\n\n## 1. Vulnerability Summary\nThe Hustle plugin (versions \u003C= 7.8.9.2) is vulnerable to **Sensitive Information Exposure**. This vulnerability allows unauthenticated users to extract sensitive configuration data, specifically including reCaptcha secret keys and integration API keys. The exposure occurs because the plugin localizes comprehensive settings and module configuration objects into the frontend HTML via `wp_localize_script`, failing to sanitize or strip sensitive credentials before they are sent to the client.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: Any public-facing WordPress page where a Hustle module (popup, slide-in, or embed) is active.\n- **Payload**: A simple GET request to the site's frontend.\n- **Authentication**: None (Unauthenticated).\n- **Preconditions**: \n    1. A Hustle module must be created and published.\n    2. Sensitive data must be configured (e.g., reCaptcha secret keys in global settings or Mailchimp\u002FZapier API keys in module integrations).\n\n## 3. Code Flow\n1. **Settings Storage**: Settings are stored in the WordPress database (typically in the `wp_options` table under keys like `hustle_settings`).\n2. **Frontend Initialization**: When a page loads, the plugin's frontend display logic (often handled by a class like `Hustle_Front_Display` or `Hustle_Init`) gathers the necessary data","The Hustle plugin for WordPress fails to properly sanitize configuration objects before localizing them for use in frontend scripts. This allows unauthenticated attackers to view sensitive credentials, such as reCaptcha secret keys and third-party integration API keys, by simply inspecting the HTML source code of any page where a Hustle module is active.","\u002F\u002F The vulnerability exists in the frontend initialization logic (typically in a display class)\n\u002F\u002F where the plugin localizes the entire settings array to the client side without stripping sensitive keys.\n\n\u002F\u002F Example logic based on research:\n$settings = get_option( 'hustle_settings' );\n\u002F\u002F ...\nwp_localize_script( 'hustle-front-scripts', 'hustle_data', $settings );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwordpress-popup\u002F7.8.9.2\u002Fassets\u002Fjs\u002Fadmin.min.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwordpress-popup\u002F7.8.9.3\u002Fassets\u002Fjs\u002Fadmin.min.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwordpress-popup\u002F7.8.9.2\u002Fassets\u002Fjs\u002Fadmin.min.js\t2025-09-15 06:29:02.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwordpress-popup\u002F7.8.9.3\u002Fassets\u002Fjs\u002Fadmin.min.js\t2026-01-16 12:13:04.000000000 +0000\n@@ -1 +1 @@\n-!function(){var e={146:function(e,t,i){var s=i(5842),n=i(5413);Hustle.define(\"Settings.View\",function(e,t,i){\"use strict\";const a=\"_page_hustle_settings\";if(a!==pagenow.substr(pagenow.length-21))return;new(Backbone.View.extend({el:\".sui-wrap-hustle\",events:{\"click .sui-sidenav .sui-vertical-tab a\":\"sidenav\",\"click a.hustle-open-tab\":\"sidenav\",\"change select.sui-mobile-nav\":\"sidenavMobile\",\"click .sui-pagination-wrap > button\":\"pagination\",\"click .hustle-load-on-click\":\"addLoadingState\",\"click .hustle-settings-save\":\"handleSave\",\"submit form.sui-box-body\":\"preventSubmit\"},initialize(){const t=Hustle.get(\"Settings.reCaptcha_Settings\"),s=Hustle.get(\"Settings.Top_Metrics_View\"),n=Hustle.get(\"Settings.Privacy_Settings\"),a=Hustle.get(\"Settings.Permissions_View\"),o=Hustle.get(\"Settings.Data_Settings\"),l=Hustle.get(\"Settings.Palettes\");this.recaptchaView=new t,new s,new n,new a,new o,new l,e(i).off(\"popstate\",e=>this.tabUpdate(e)),e(i).on(\"popstate\",e=>this.tabUpdate(e)),Hustle.Events.trigger(\"view.rendered\",this),this.doActionsBasedOnUrl()},doActionsBasedOnUrl(){if(s.getUrlParam(\"show-notice\")){const e=\"success\"===s.getUrlParam(\"show-notice\")?\"success\":\"error\",t=s.getUrlParam(\"notice\"),i=t&&\"undefined\"!==optinVars.messages[t]?optinVars.messages[t]:s.getUrlParam(\"notice-message\");void 0!==i&&i.length&&n.Notification.open(e,i)}else s.getUrlParam(\"404-downgrade-modal\")&&this.$(\"#hustle-dialog--404-downgrade\").length&&SUI.openModal(\"hustle-dialog--404-downgrade\",\"hustle-popup-number\")},sidenav(t){const i=e(t.target).data(\"tab\");i&&this.tabJump(i,!0),t.preventDefault()},sidenavMobile(t){const i=e(t.currentTarget).val();i&&this.tabJump(i,!0)},tabUpdate(e){const t=e.originalEvent.state;t&&this.tabJump(t.tabSelected)},tabJump(e,t){const i=this.$el.find('a[data-tab=\"'+e+'\"]'),s=i.closest(\".sui-vertical-tabs\").find(\".sui-vertical-tab\"),n=this.$el.find(\".sui-box[data-tab]\"),a=this.$el.find('.sui-box[data-tab=\"'+e+'\"]');t&&history.pushState({tabSelected:e},\"Hustle Settings\",\"admin.php?page=hustle_settings&section=\"+e),s.removeClass(\"current\"),n.hide(),i.parent().addClass(\"current\"),a.show()},pagination(e){const t=this.$(e.target).closest(\".sui-pagination-wrap\"),i=t.find(\".sui-button-icon\"),s=t.next(\".sui-pagination-filter\");i.toggleClass(\"sui-active\"),s.toggleClass(\"sui-open\"),e.preventDefault(),e.stopPropagation()},preventSubmit(e){e.preventDefault()},handleSave(t){t.preventDefault();const i=this,s=e(t.currentTarget),a=s.data(\"form-id\"),o=s.data();let l=new FormData;if(tinyMCE.triggerSave(),void 0!==a){const t=e(\"#\"+a);t.length&&(l=new FormData(t[0]),e.each(t.find(\"input[type=checkbox]\"),function(){const t=e(this);t.is(\":checked\")||l.append(t.attr(\"name\"),\"0\")}))}e.each(o,(e,t)=>l.append(e,t)),l.append(\"_ajax_nonce\",optinVars.current.save_settings_nonce),l.append(\"action\",\"hustle_save_settings\"),s.addClass(\"sui-button-onload\"),s.prop(\"disabled\",!0),e.ajax({url:ajaxurl,type:\"POST\",data:l,contentType:!1,processData:!1}).done(t=>{t.data?(t.data.callback&&\"undefined\"!==i[t.data.callback]&&i[t.data.callback](s,t.data,t.success),t.data.url?!0===t.data.url?location.reload():location.replace(t.data.url):t.data.notification&&n.Notification.open(t.data.notification.status,t.data.notification.message,t.data.notification.delay),t.data.url||(e(\".sui-button-onload\").removeClass(\"sui-button-onload\"),s.prop(\"disabled\",!1))):(t.success?n.Notification.open(\"success\",optinVars.messages.settings_saved):n.Notification.open(\"error\",optinVars.messages.something_went_wrong_reload),e(\".sui-button-onload\").removeClass(\"sui-button-onload\"),s.prop(\"disabled\",!1))}).fail(()=>{e(\".sui-button-onload\").removeClass(\"sui-button-onload\"),s.prop(\"disabled\",!1),n.Notification.open(\"error\",optinVars.messages.something_went_wrong)})},actionSaveRecaptcha(){this.recaptchaView.maybeRenderRecaptchas()},addLoadingState(t){e(t.currentTarget).addClass(\"sui-button-onload\")}}))})}","To exploit this vulnerability, an unauthenticated attacker performs a simple GET request to any public-facing page where a Hustle module (popup, slide-in, or embed) is active. By inspecting the HTML source code of the response, the attacker searches for localized JavaScript objects such as 'hustleVars' or 'optinVars' created via wp_localize_script. These objects contain the plugin's full configuration, including sensitive plaintext credentials like Google reCaptcha secret keys and API keys for integrations like Mailchimp or Zapier, which can then be used to perform unauthorized actions on those third-party services.","gemini-3-flash-preview","2026-05-05 00:20:01","2026-05-05 00:20:52",{"type":39,"vulnerable_version":40,"fixed_version":11,"vulnerable_browse":41,"vulnerable_zip":42,"fixed_browse":43,"fixed_zip":44,"all_tags":45},"plugin","7.8.9.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-popup\u002Ftags\u002F7.8.9.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-popup.7.8.9.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-popup\u002Ftags\u002F7.8.9.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwordpress-popup.7.8.9.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwordpress-popup\u002Ftags"]