– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-0911:
This vulnerability is an authenticated arbitrary file upload in the Hustle WordPress plugin. The flaw resides in the module import functionality, allowing users with subscriber-level access or higher to upload arbitrary files, potentially leading to remote code execution. The vulnerability has a CVSS score of 7.5.

The root cause is a combination of improper capability checks and disabled file type validation in the `action_import_module()` function within `/inc/hustle-modules-common-admin-ajax.php`. The original code at line 371 incorrectly checked `! $is_new_module && ! current_user_can( ‘hustle_create’ )`, which could allow unauthorized users to import into existing modules. Furthermore, the `wp_handle_upload` call at line 420 used `’test_type’ => false`, which disabled MIME type verification. This allowed non-JSON file uploads.

Exploitation requires an authenticated attacker with at least Subscriber-level access. The attacker must first be granted Hustle module permissions by an administrator. They then send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `hustle_import_module`. The request must include a valid nonce (obtained from the Hustle admin page) and a multipart file upload for the `import_file` parameter. The payload is a malicious file, such as a PHP webshell, disguised with a `.json` extension or other bypass techniques.

The patch addresses both the authorization and validation flaws. In `hustle-modules-common-admin-ajax.php`, line 371 is corrected to `if ( $is_new_module && ! Opt_In_Utils::is_user_allowed( ‘hustle_create’ ) )`, properly restricting creation permissions. The `’test_type’` parameter for `wp_handle_upload` is changed from `false` to `true` at line 421, re-enabling MIME checks. A temporary filter is added to allow only `application/json` MIME types during the upload process, which is removed immediately after.

Successful exploitation leads to arbitrary file upload to the WordPress server’s upload directory. An attacker can upload executable scripts like PHP webshells, resulting in full remote code execution. This compromises the hosting server, allowing data theft, site defacement, and further network penetration. The requirement for a user to have module permissions, while a partial barrier, is a privilege often granted in multi-author environments.