Cyber Resilience

CVE-2026-0911

High

Published: 24 January 2026

Published
24 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0911 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0911 is an arbitrary file upload vulnerability in the Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress, affecting all versions up to and including 7.8.9.2. The flaw arises from incorrect file type validation in the action_import_module() function, enabling attackers to upload arbitrary files to the affected site's server. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability was published on 2026-01-24.

Authenticated attackers with low-privileged roles, such as Subscriber-level access or higher, can exploit this issue to upload arbitrary files, which may lead to remote code execution on the server. Successful exploitation hinges on an administrator first granting the low-privileged user Hustle module permissions or module edit access, allowing them to reach the Hustle admin page and obtain the required nonce.

Mitigation details are available in advisories from Wordfence and a patch committed in WordPress plugin changeset 3440956 for the wordpress-popup repository. Security practitioners should update the Hustle plugin to a version beyond 7.8.9.2 and review user permissions to prevent low-privileged access to module administration.

EU & UK References

Vulnerability details

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible…

more

for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file upload in public-facing WordPress plugin directly enables exploitation of the web application (T1190) and deployment of a web shell for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-46384Shared CWE-434
CVE-2025-13516Shared CWE-434
CVE-2024-13011Shared CWE-434
CVE-2025-8323Shared CWE-434
CVE-2025-21624Shared CWE-434
CVE-2026-35164Shared CWE-434
CVE-2026-2097Shared CWE-434
CVE-2025-12154Shared CWE-434
CVE-2026-42748Shared CWE-434
CVE-2025-32957Shared CWE-434

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this vulnerability by patching the Hustle plugin beyond version 7.8.9.2 to fix the incorrect file type validation in action_import_module().

prevent

Least privilege prevents low-privileged users (e.g., Subscriber) from being granted Hustle module permissions or edit access required to reach the vulnerable import function.

prevent

Information input validation enforces proper file type checking for uploads, directly countering the unrestricted arbitrary file upload due to inadequate validation in the plugin.

References