CVE-2026-0911
Published: 24 January 2026
Summary
CVE-2026-0911 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0911 is an arbitrary file upload vulnerability in the Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress, affecting all versions up to and including 7.8.9.2. The flaw arises from incorrect file type validation in the action_import_module() function, enabling attackers to upload arbitrary files to the affected site's server. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability was published on 2026-01-24.
Authenticated attackers with low-privileged roles, such as Subscriber-level access or higher, can exploit this issue to upload arbitrary files, which may lead to remote code execution on the server. Successful exploitation hinges on an administrator first granting the low-privileged user Hustle module permissions or module edit access, allowing them to reach the Hustle admin page and obtain the required nonce.
Mitigation details are available in advisories from Wordfence and a patch committed in WordPress plugin changeset 3440956 for the wordpress-popup repository. Security practitioners should update the Hustle plugin to a version beyond 7.8.9.2 and review user permissions to prevent low-privileged access to module administration.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4543
Vulnerability details
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible…
more
for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and deployment of a web shell for RCE (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly mitigates this vulnerability by patching the Hustle plugin beyond version 7.8.9.2 to fix the incorrect file type validation in action_import_module().
Least privilege prevents low-privileged users (e.g., Subscriber) from being granted Hustle module permissions or edit access required to reach the vulnerable import function.
Information input validation enforces proper file type checking for uploads, directly countering the unrestricted arbitrary file upload due to inadequate validation in the plugin.