Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Hustle Plugin for WordPress Allows Unapproved Data Changes
CVE-2026-2263
Summary
The Hustle plugin for WordPress, used for email marketing and lead generation, is missing a security check that could let hackers manipulate marketing data. This means they could fake conversion tracking for any email campaign, even if it's not visible to users. To fix this, update the plugin to the latest version or remove it if you're not using it to prevent potential data tampering.
Original title
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_convert...
Original description
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/fron...
- https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/fron...
- https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.9.3/inc/fron...
- https://plugins.trac.wordpress.org/changeset?old_path=/wordpress-popup/tags/7.8....
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2305462c-0a00-4423-8dc...
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026