Description
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.This issue affects Hustle: from n/a through <= 7.8.9.2.
Published: 2026-02-03
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch
AI Analysis

Impact

The WPMU DEV Hustle plugin through version 7.8.9.2 contains a flaw that enables any attacker, regardless of authentication, to retrieve embedded sensitive data. The vulnerability is classified as an exposure of sensitive system information to an unauthorized control sphere, allowing malicious actors to view data that should be restricted to site administrators. The primary impact is the unauthorized disclosure of confidential information, which can lead to compromise of site security and user privacy.

Affected Systems

WordPress sites that have the Hustle popup plugin installed from the earliest available build up to version 7.8.9.2 are affected. The issue does not appear to be limited to particular WordPress themes or server configurations and applies to any site that uses the specified plugin versions.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium severity flaw, and the EPSS score of less than 1% shows a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting that there are no known active attacks. However, the flaw can be exploited remotely through the plugin’s exposed endpoints, and the lack of authentication checks directly increases the risk of sensitive data leakage.

Generated by OpenCVE AI on April 16, 2026 at 01:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hustle plugin to version 7.8.9.3 or later, which contains the remediation.
  • If an upgrade is not immediately possible, disable or uninstall the Hustle plugin to eliminate the exposure pathway.
  • Implement monitoring of web server logs for unusual requests to the plugin’s data retrieval endpoints and perform regular security reviews of active plugins.

Generated by OpenCVE AI on April 16, 2026 at 01:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpmudev
Wpmudev hustle
Vendors & Products Wordpress
Wordpress wordpress
Wpmudev
Wpmudev hustle

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.This issue affects Hustle: from n/a through <= 7.8.9.2.
Title WordPress Hustle plugin <= 7.8.9.2 - Sensitive Data Exposure vulnerability
Weaknesses CWE-497
References

Subscriptions

Wordpress Wordpress
Wpmudev Hustle
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:52.960Z

Reserved: 2026-01-28T09:50:57.103Z

Link: CVE-2026-24998

cve-icon Vulnrichment

Updated: 2026-02-03T15:50:49.442Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T15:16:19.043

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:15:20Z

Weaknesses