Description
The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.
Published: 2026-05-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Hostinger Reach – AI‑Powered Email Marketing for WordPress plugin for WordPress is vulnerable to an unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function. In all versions up to and including 1.3.8, an authenticated attacker who has Subscriber‑level access and above can trigger the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This change allows the attacker to set an arbitrary API key, which may enable further exploitation of the email marketing integration or compromise communications. The vulnerability provides a direct path for credential or configuration manipulation, and could allow attackers to use their own key to access or alter email campaign data.

Affected Systems

Hostinger Reach – AI‑Powered Email Marketing for WordPress plugin, versions up to and including 1.3.8, which are installed on WordPress sites hosted by hosts leveraging the Hostinger Reach package.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating moderate severity. Although no EPSS information is available, the lack of a randomly exploitable vector and the requirement for an authenticated user with Subscriber-level permissions limit the risk. The vulnerability is not listed in the CISA KEV catalog. Exploitation occurs via an AJAX endpoint when the plugin is unconnected and no API key has yet been stored; therefore the window of opportunity is narrow, but the potential impact on configuration integrity is significant.

Generated by OpenCVE AI on May 13, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of the Hostinger Reach plugin, where the missing capability check has been addressed.
  • If an update is unavailable, restrict the 'hostinger_reach_connection_notice_action' AJAX endpoint to administrators only by adding a custom capability check or modifying the plugin code to enforce authorization.
  • Monitor the wp_options table for unexpected changes to 'hostinger_reach_api_key' and audit user activity to detect unauthorized API key updates.

Generated by OpenCVE AI on May 13, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hostinger
Hostinger hostinger Reach – Ai-powered Email Marketing For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Hostinger
Hostinger hostinger Reach – Ai-powered Email Marketing For Wordpress
Wordpress
Wordpress wordpress

Wed, 13 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.
Title Hostinger Reach <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Hostinger Hostinger Reach – Ai-powered Email Marketing For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T10:19:59.430Z

Reserved: 2026-02-14T19:14:40.183Z

Link: CVE-2026-2515

cve-icon Vulnrichment

Updated: 2026-05-13T10:18:11.026Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T13:01:39.920

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-2515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T11:00:13Z

Weaknesses