Vulnerabilites related to wpmudev - Hustle – Email Marketing, Lead Generation, Optins, Popups
CVE-2024-0368 (GCVE-0-2024-0368)
Vulnerability from cvelistv5
Published
2024-03-13 15:27
Modified
2024-08-02 20:39
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmudev | Hustle – Email Marketing, Lead Generation, Optins, Popups |
Version: * ≤ 7.8.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:04:49.506Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.hubspot.com/docs/api/webhooks#scopes"
},
{
"tags": [
"x_transferred"
],
"url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070\u0026old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpmudev:hustle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "hustle",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "7.8.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-0368",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-02T20:38:25.301715Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T20:39:27.616Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "7.8.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sean Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-13T15:27:21.681Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13"
},
{
"url": "https://developers.hubspot.com/docs/api/webhooks#scopes"
},
{
"url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070\u0026old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-12T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-0368",
"datePublished": "2024-03-13T15:27:21.681Z",
"dateReserved": "2024-01-09T19:55:46.479Z",
"dateUpdated": "2024-08-02T20:39:27.616Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10580 (GCVE-0-2024-10580)
Vulnerability from cvelistv5
Published
2024-11-27 06:41
Modified
2024-11-27 14:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmudev | Hustle – Email Marketing, Lead Generation, Optins, Popups |
Version: * ≤ 7.8.5 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:wpmudev:hustle:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "hustle",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "7.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10580",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T14:34:24.997950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T14:40:32.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "7.8.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vijaysimha Reddy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T06:41:28.378Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3b2f8726-c4c4-4ed6-aa8d-4412cf5be061?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.5/inc/front/hustle-module-front-ajax.php#L251"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3196639/wordpress-popup/tags/7.8.6/inc/front/hustle-module-front-ajax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-26T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups \u003c= 7.8.5 - Missing Authorization to Unauthorized Form Submission"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10580",
"datePublished": "2024-11-27T06:41:28.378Z",
"dateReserved": "2024-10-31T12:57:12.812Z",
"dateUpdated": "2024-11-27T14:40:32.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10579 (GCVE-0-2024-10579)
Vulnerability from cvelistv5
Published
2024-11-26 11:04
Modified
2024-11-26 14:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmudev | Hustle – Email Marketing, Lead Generation, Optins, Popups |
Version: * ≤ 7.8.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10579",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T14:01:46.440286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T14:09:22.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "7.8.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vijaysimha Reddy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the preview_module() function in all versions up to, and including, 7.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view unpublished forms."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T11:04:31.503Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ebd96d9c-c1ab-4a53-a52a-9fc2541482f2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/tags/7.8.5/inc/hustle-modules-common-admin-ajax.php#L189"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/hustle-modules-common-admin-ajax.php#L189"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-11-25T21:55:08.000+00:00",
"value": "Disclosed"
}
],
"title": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups \u003c= 7.8.5 - Missing Authorization to Unpublished Form Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10579",
"datePublished": "2024-11-26T11:04:31.503Z",
"dateReserved": "2024-10-31T12:54:11.097Z",
"dateUpdated": "2024-11-26T14:09:22.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}