Threat Entry Updated 2026-04-08

CVE-2026-2263 - Popups Plugin

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics.

PLUGIN Popups

CVE-2026-2263

MEDIUM CVSS 5.3 2026-04-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-0911 - Popups Plugin

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access…

PLUGIN Popups

CVE-2026-0911

HIGH CVSS 7.5 2026-01-24

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-27

CVE-2024-10580 - Popups Plugin

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.

PLUGIN Popups

CVE-2024-10580

MEDIUM CVSS 5.3 2024-11-27

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-26

CVE-2024-10579 - Popups Plugin

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms.

PLUGIN Popups

CVE-2024-10579

MEDIUM CVSS 4.3 2024-11-26

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-03-11

CVE-2024-0368 - Popups Plugin

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII.

PLUGIN Popups

CVE-2024-0368

HIGH CVSS 8.6 2024-03-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2023-4961 - Popups Plugin

The Poptin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'poptin-form' shortcode in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Popups

CVE-2023-4961

MEDIUM CVSS 6.4 2023-10-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2022-2305 - Popups Plugin

The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup)

PLUGIN Popups

CVE-2022-2305

MEDIUM CVSS 4.8 2022-08-01

Risk Score

Open Full Technical Breakdown