CVE-2026-0911 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) affecting the WordPress plugin 'Hustle – Email Marketing, Lead Generation, Optins, Popups' developed by wpmudev. The vulnerability arises from insufficient validation of file types in the action_import_module() function, allowing authenticated users with low privileges (Subscriber-level or higher) to upload arbitrary files to the server. However, exploitation requires that an administrator grants the low-privileged user Hustle module permissions or module edit access, which provides access to the Hustle admin interface and the necessary nonce token to perform the upload. This flaw can be leveraged to upload malicious files, potentially enabling remote code execution (RCE) on the web server hosting the WordPress site. The vulnerability affects all plugin versions up to and including 7.8.9.2. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the risk remains significant due to the potential for privilege escalation and server compromise. The vulnerability was published on January 24, 2026, and was reserved earlier that month. The plugin is widely used for marketing and lead generation on WordPress sites, making this a relevant threat for many web-facing applications.

For European organizations, the impact of CVE-2026-0911 can be substantial, especially for those relying on WordPress sites with the Hustle plugin installed for marketing and lead generation. Successful exploitation could lead to remote code execution, allowing attackers to execute arbitrary commands, deploy malware, steal sensitive data, or disrupt services. This compromises the confidentiality, integrity, and availability of affected systems. Organizations with multi-user WordPress environments are particularly vulnerable if permission controls are not strictly enforced. The breach could lead to data leaks involving customer information, intellectual property theft, or defacement of websites, damaging reputation and potentially violating GDPR regulations. Additionally, attackers could use compromised servers as pivot points for lateral movement within corporate networks. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability becomes widely known.

1. Immediately audit and restrict Hustle plugin module permissions to ensure that only trusted administrators have module edit or permissions access. Avoid granting such permissions to low-privileged users. 2. Monitor user roles and capabilities within WordPress to prevent privilege escalation or unauthorized access to the Hustle admin interface. 3. Implement strict file upload controls and scanning on the server to detect and block suspicious or executable file types, even if uploaded. 4. Regularly update the Hustle plugin to the latest version once a patch addressing CVE-2026-0911 is released by wpmudev. 5. Employ Web Application Firewalls (WAF) with rules to detect and block anomalous file upload attempts targeting the Hustle plugin endpoints. 6. Conduct regular security audits and penetration testing focusing on WordPress plugins and user permission configurations. 7. Educate administrators about the risks of granting module permissions to low-privileged users and enforce the principle of least privilege. 8. Monitor server logs for unusual file upload activity or access patterns related to the Hustle plugin admin pages.