PT-2026-40586 · WordPress · Hostinger Reach
Dmitry Ignatyev
·
Published
2026-05-13
·
Updated
2026-05-13
·
CVE-2026-2515
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Hostinger Reach – AI-Powered Email Marketing for WordPress versions prior to 1.3.9
Description
The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin allows unauthorized modification of data because the
handle ajax action() function lacks a capability check. Authenticated users with Subscriber-level access or higher can utilize the 'hostinger reach connection notice action' action to update the API key stored in the database. This issue is exploitable only if the plugin is not connected to a site and no API key currently exists in the database.Recommendations
Update to a version later than 1.3.8.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hostinger Reach