CVE-2024-0368 - Vulnerability Details - OpenCVE

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wpmudev	Hustle

Configuration 1 [-]

cpe:2.3:a:wpmudev:hustle:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api
https://developers.hubspot.com/docs/api/webhooks#scopes
https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13
https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve

History

Wed, 08 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Title		Hustle <= 7.8.3 - Sensitive Information Exposure via Exposed Hubspot API Keys
Weaknesses		CWE-522

Tue, 11 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wpmudev Wpmudev hustle
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:wpmudev:hustle::::::wordpress::*
Vendors & Products		Wpmudev Wpmudev hustle

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-03-13T15:27:21.681Z

Updated: 2026-04-08T17:30:15.925Z

Reserved: 2024-01-09T19:55:46.479Z

Link: CVE-2024-0368

Vulnrichment

Updated: 2024-08-01T18:04:49.506Z

NVD

Status : Modified

Published: 2024-03-13T16:15:10.623

Modified: 2026-04-08T19:19:08.890

Link: CVE-2024-0368

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-0368", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2024-01-09T19:55:46.479Z", "datePublished": "2024-03-13T15:27:21.681Z", "dateUpdated": "2026-04-08T17:30:15.925Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:30:15.925Z"}, "affected": [{"vendor": "wpmudev", "product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII."}], "title": "Hustle <= 7.8.3 - Sensitive Information Exposure via Exposed Hubspot API Keys", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13"}, {"url": "https://developers.hubspot.com/docs/api/webhooks#scopes"}, {"url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api"}, {"url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-522 Insufficiently Protected Credentials", "cweId": "CWE-522", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sean Murphy"}], "timeline": [{"time": "2024-03-12T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.506Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13", "tags": ["x_transferred"]}, {"url": "https://developers.hubspot.com/docs/api/webhooks#scopes", "tags": ["x_transferred"]}, {"url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php", "tags": ["x_transferred"]}]}, {"affected": [{"vendor": "wpmudev", "product": "hustle", "cpes": ["cpe:2.3:a:wpmudev:hustle:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "7.8.3", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-02T20:38:25.301715Z", "id": "CVE-2024-0368", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T20:39:27.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13", "tags": ["x_transferred"]}, {"url": "https://developers.hubspot.com/docs/api/webhooks#scopes", "tags": ["x_transferred"]}, {"url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api", "tags": ["x_transferred"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:04:49.506Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0368", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-02T20:38:25.301715Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wpmudev:hustle:*:*:*:*:*:*:*:*"], "vendor": "wpmudev", "product": "hustle", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.8.3"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-02T20:39:20.279Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "Sean Murphy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}}], "affected": [{"vendor": "wpmudev", "product": "Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "7.8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-03-12T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13"}, {"url": "https://developers.hubspot.com/docs/api/webhooks#scopes"}, {"url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api"}, {"url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php"}], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2024-03-13T15:27:21.681Z"}}}, "cveMetadata": {"cveId": "CVE-2024-0368", "state": "PUBLISHED", "dateUpdated": "2024-08-02T20:39:27.616Z", "dateReserved": "2024-01-09T19:55:46.479Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2024-03-13T15:27:21.681Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpmudev:hustle:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6DBE5624-1C28-43A2-AB06-3FA907954887", "versionEndExcluding": "7.8.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII."}, {"lang": "es", "value": "El complemento Hustle \u2013 Email Marketing, Lead Generation, Optins, Popups para WordPress es vulnerable a la exposici\u00f3n de informaci\u00f3n confidencial en todas las versiones hasta la 7.8.3 incluida a trav\u00e9s de claves API codificadas. Esto hace posible que atacantes no autenticados extraigan datos confidenciales, incluida la PII."}], "id": "CVE-2024-0368", "lastModified": "2026-04-08T19:19:08.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2024-03-13T16:15:10.623", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://developers.hubspot.com/docs/api/webhooks#scopes"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://developers.hubspot.com/docs/api/webhooks#scopes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@wordfence.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Secondary"}]}