Skip to main content

WPMU DEV Hustle EUVD-2026-29536

| CVE-2026-25431 MEDIUM
Missing Authorization (CWE-862)
2026-05-12 Patchstack GHSA-q8j3-7hr2-pxhc
Authentication Bypass Hustle
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 12, 2026 - 17:16 vuln.today
CVE Published
May 12, 2026 - 16:32 nvd
MEDIUM 5.3

DescriptionCVE.org

Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Hustle: through 7.8.10.1.

AnalysisAI

WPMU DEV Hustle plugin versions through 7.8.10.1 allow unauthenticated remote attackers to modify sensitive data via missing authorization controls on access-restricted functionality. The vulnerability exploits incorrectly configured access control security levels, enabling attackers to bypass authentication mechanisms without user interaction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover unauthenticated Hustle API endpoint
Delivery
Craft HTTP request without authorization token
Exploit
Submit malicious payload to modify settings
Execution
Changes persist in Hustle configuration
Impact
Impact affects popups or user data handling
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions are required - the vulnerability affects default configurations of WPMU DEV Hustle plugin versions through 7.8.10.1 when installed and activated on a WordPress site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 5.3 (Medium severity) reflects a network-accessible vulnerability requiring no authentication or user interaction, but with limited scope and no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers that Hustle plugin endpoints (likely AJAX handlers) do not properly validate user permissions. The attacker crafts HTTP requests to these endpoints with modified parameters - such as popup content, conversion settings, or configuration data - and successfully submits changes without authentication. …
Remediation Update WPMU DEV Hustle plugin to a version released after 7.8.10.1 - check the official WPMU DEV plugin repository or WordPress.org Hustle plugin page for the latest patched version number. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-29536 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy