What the vulnerability does
01Description
The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.
Explanation of Vulnerability in Simple Terms
02Summary
The Hostinger Reach plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify data they should not have access to. The vulnerability requires network access and some attack complexity, but does not require user interaction. No confidentiality or availability impact occurs, but integrity of data can be compromised.
What an attacker can do
03Attacker Capabilities
Modify or change data in the plugin that should be restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Low-privilege users (subscribers, contributors) may alter plugin settings or data intended only for administrators.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress account; network access required; some technical complexity involved.
Key dates
06Disclosure timeline
May 13, 2026
CVE published
May 13, 2026
Record updated