Primary

Context

Hustle WordPress Plugin Arbitrary File Upload Vulnerability

Vulnerability

Patched

A vulnerability allowing arbitrary file uploads has been identified in the Hustle WordPress plugin, specifically in versions through 7.8.9.2. This issue arises from improper file type validation in the action_import_module() function. As a result, authenticated attackers with lower-privileged roles, such as Subscribers, can upload arbitrary files to the server. Such uploads may facilitate remote code execution. Exploitation of this vulnerability requires an admin to grant Hustle module permissions to the low-privileged user, enabling access to the Hustle admin page and the necessary nonce.

Impact

Exploitation of this vulnerability could lead to arbitrary file uploads, potentially allowing for remote code execution on the affected server.

Remediation

Users are advised to update the Hustle WordPress plugin to version 7.8.9.3 or a newer patched version.

Added: Jan 24, 2026, 1:20 PM

Updated: Jan 24, 2026, 1:20 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

7.5

remediation

7.7

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

10.0

exploitability

7.5

remediation

7.7

relevance

2.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hustle WordPress Plugin Arbitrary File Upload Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Hustle

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating