A high-severity vulnerability has been identified in the "Hustle" WordPress plugin, which could allow an attacker to upload malicious files to a website. A successful attack could lead to a complete website takeover, data theft, and further compromise of the hosting environment. Organizations using this plugin are urged to apply the recommended update immediately to mitigate this critical risk.

The vulnerability exists within the action_import_module() function of the Hustle plugin. This function, responsible for importing plugin modules, fails to properly validate the file type of uploaded files. An authenticated attacker, potentially with low-level privileges, can exploit this flaw by crafting a request to upload a malicious script (e.g., a PHP web shell) disguised as a legitimate file. Once the malicious file is on the server, the attacker can execute it, gaining the ability to run arbitrary code with the permissions of the web server process, leading to a full site compromise.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit could have a significant negative impact on the business. The ability for an attacker to achieve remote code execution can lead to a complete loss of control over the affected website, theft of sensitive data (including customer information and user credentials), website defacement, and the use of the compromised server to launch further attacks or distribute malware. Such an incident can result in severe reputational damage, regulatory fines, and financial loss associated with incident response and recovery.

Immediate Action:

• Immediately update the "Hustle – Email Marketing, Lead Generation, Optins, Popups" plugin to the latest patched version (greater than 7.0).
• If the plugin is not essential for business operations, consider deactivating and uninstalling it to completely remove the attack surface.
• Review WordPress user roles and permissions to ensure users only have the minimum privileges necessary for their tasks.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to WordPress admin endpoints, particularly those related to the Hustle plugin's import functionality.
• Scan the WordPress uploads directory and plugin directories for any unexpected or suspicious files (e.g., files with .php, .phtml, .php5 extensions).
• Utilize a file integrity monitoring (FIM) system to alert on unauthorized changes to core WordPress files, themes, and plugins.

Compensating Controls:

• Implement a Web Application Firewall (WAF) with rules designed to inspect and block malicious file uploads and common web shell signatures.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses only.
• Harden web server file permissions to prevent the web server process from writing to sensitive directories or executing files in upload folders.

Public Exploit Available: false

Given the high-severity rating (CVSS 7.5) and the potential for complete system compromise, immediate action is required. We strongly recommend that all organizations using the affected "Hustle" plugin prioritize updating it to the latest version without delay. While this CVE is not currently listed on the CISA KEV list, its critical impact warrants treating it with the same level of urgency. If an immediate update is not feasible, implement the suggested compensating controls, but patching should remain the primary goal.