CVE-2026-0911 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the WordPress plugin Hustle – Email Marketing, Lead Generation, Optins, Popups, developed by wpmudev. The flaw exists in the action_import_module() function, where file type validation is insufficient, allowing authenticated users with low privileges (Subscriber-level or higher) to upload arbitrary files to the server. However, exploitation requires that an administrator grants the attacker module permissions or module edit access, which provides access to the Hustle admin page and the necessary nonce for the upload process. This vulnerability can lead to remote code execution (RCE), enabling attackers to execute malicious code on the server, potentially leading to full site compromise, data theft, or further lateral movement within the hosting environment. The vulnerability affects all plugin versions up to and including 7.8.9.2. The CVSS 3.1 score of 7.5 indicates a high severity, with network attack vector, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the risk remains significant due to the potential impact and ease of exploitation once permissions are granted.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites that utilize the Hustle plugin for marketing and lead generation. Exploitation could lead to unauthorized remote code execution, allowing attackers to compromise sensitive customer data, inject malicious content, or disrupt website availability. This could result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational downtime. Organizations with complex user role assignments or those that delegate module permissions without strict controls are particularly vulnerable. The impact extends beyond the affected website, as attackers could leverage the compromised server as a pivot point for broader network intrusion. Given the widespread use of WordPress in Europe, especially among SMEs and digital service providers, the threat could affect a broad range of sectors including e-commerce, media, and professional services.

1. Immediately review and restrict module permissions within the Hustle plugin, ensuring only trusted administrators have access to module editing capabilities. 2. Implement strict role-based access controls (RBAC) to prevent low-privileged users from gaining elevated permissions. 3. Monitor and audit user permissions regularly to detect any unauthorized changes. 4. Disable or remove the Hustle plugin if it is not essential to reduce the attack surface. 5. Apply security plugins or web application firewalls (WAFs) that can detect and block suspicious file upload attempts. 6. Monitor server logs for unusual file upload activity or access to the Hustle admin pages. 7. Stay alert for official patches or updates from wpmudev and apply them promptly once released. 8. Educate administrators about the risks of granting module permissions to low-privileged users. 9. Consider isolating WordPress instances or using containerization to limit the impact of potential compromises.