CVE-2026-0911 is a vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type) found in the WordPress plugin Hustle – Email Marketing, Lead Generation, Optins, Popups by wpmudev. The flaw exists in the action_import_module() function, where the plugin fails to properly validate file types during upload. This allows authenticated users with low privileges (Subscriber-level or higher) to upload arbitrary files to the server. However, exploitation is contingent upon an administrator granting the attacker module permissions or edit access to the Hustle admin page, enabling the attacker to obtain the necessary nonce for the upload action. Once arbitrary files are uploaded, attackers may execute remote code, potentially taking full control of the affected WordPress site and underlying server. The vulnerability affects all plugin versions up to and including 7.8.9.2. The CVSS v3.1 base score is 7.5, indicating high severity, with attack vector network, attack complexity high, privileges required low, no user interaction, and impacts to confidentiality, integrity, and availability all rated high. No public exploits have been reported yet, but the risk is significant due to the potential for remote code execution. The vulnerability highlights the risk of improper file validation combined with insufficient access control in WordPress plugins, especially those handling file uploads and administrative functions.

The impact of CVE-2026-0911 is substantial for organizations using the Hustle plugin on WordPress sites. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the web server. This can result in full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidentiality is at risk as attackers may access sensitive user data or business information. Integrity is compromised through unauthorized modifications or insertion of malicious content. Availability may be affected if attackers disrupt services or deploy ransomware. Because the vulnerability requires some level of authenticated access and administrative permission granting, insider threats or compromised accounts increase risk. Organizations relying on WordPress for marketing, lead generation, or customer engagement may face reputational damage and regulatory consequences if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the potential severity once exploitation techniques become public.

To mitigate CVE-2026-0911, organizations should immediately audit and restrict permissions related to the Hustle plugin, ensuring that only trusted administrators can grant module or edit access. Avoid granting Hustle module permissions to low-privileged users. Monitor user roles and access logs for suspicious privilege escalations or unusual activity on the Hustle admin pages. Implement web application firewalls (WAFs) with rules to detect and block suspicious file upload attempts targeting the plugin. Disable or remove the Hustle plugin if it is not essential. Regularly update the plugin to the latest version once a patch addressing this vulnerability is released by wpmudev. Employ file integrity monitoring on the WordPress installation to detect unauthorized file uploads or changes. Additionally, enforce strong authentication and consider multi-factor authentication for WordPress admin accounts to reduce the risk of account compromise. Backup WordPress sites regularly to enable recovery in case of exploitation.