{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2263", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-09T18:28:09.484Z", "datePublished": "2026-04-07T23:25:26.728Z", "dateUpdated": "2026-04-08T18:20:10.441Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:51.227Z"}, "affected": [{"vendor": "wpmudev", "product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.10.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics."}], "title": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen C"}], "timeline": [{"time": "2026-02-09T18:43:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T10:52:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T18:10:34.710486Z", "id": "CVE-2026-2263", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:20:10.441Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2263", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-09T18:28:09.484Z", "datePublished": "2026-04-07T23:25:26.728Z", "dateUpdated": "2026-04-08T18:20:10.441Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:51.227Z"}, "affected": [{"vendor": "wpmudev", "product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.10.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics."}], "title": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen C"}], "timeline": [{"time": "2026-02-09T18:43:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T10:52:41.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2263", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T18:10:34.710486Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T18:19:59.662Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics."}], "id": "CVE-2026-2263", "lastModified": "2026-04-08T21:26:35.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T00:16:04.980", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L1047"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front-ajax.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/front/hustle-module-front.php#L311"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8.10.2&new_path=/wordpress-popup/tags/7.8.11"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc2-e32628c4864d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.8.10.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups", "source": "cna", "vendor": "wpmudev"}, "product": "hustle_\u2013_email_marketing,_lead_generation,_optins,_popups", "vendor": "wpmudev"}], "analysis": {"en": {"generated_at": "2026-04-08T00:50:26.799534+00:00", "value": {"mitigation_remediation": ["Upgrade the Hustle plugin to version 7.8.11 or later, which includes the missing capability check.", "Verify that the upgrade has been applied by checking the plugin version on the WordPress admin panel.", "Review active modules and audit conversion logs for any irregularities after the patch."], "summary": {"action": "Patch", "impact": "Unauthorized modification of conversion tracking data"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin from any version up to and including 7.8.10.2 are vulnerable. The issue is present in all editions of the plugin distributed via the WordPress plugin repository before the 7.8.11 release.", "description_and_impact": "The Hustle plugin includes an AJAX action named hustle_module_converted that records conversion events. A missing capability check allows anyone, even users who are not logged in, to trigger this action and create or modify conversion records. By sending crafted requests, an attacker can falsely inflate or deflate conversion counts for any module, including drafts that never reach visitors. This compromises data integrity, leading to inaccurate analytics and potentially misleading marketing decisions.", "risk_and_exploitability": "The vulnerability scores a CVSS of 5.3, indicating a medium severity. It does not appear in the CISA KEV catalog and no EPSS score is available. The attack can be carried out remotely by submitting HTTP requests to the plugin\u2019s AJAX endpoint, so an unauthenticated actor can exploit it from any network with access to the site. While the impact is confined to analytics data, the ability to manipulate conversion statistics can erode business trust and lead to erroneous decisions."}}}}, "created": "2026-04-08T19:33:50.030007+00:00", "updated": "2026-04-08T19:45:09.236490+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpmudev", "wpmudev$PRODUCT$hustle_\u2013_email_marketing,_lead_generation,_optins,_popups"]}