CVE-2026-2515 MEDIUM

CVE-2026-2515: Hostinger Reach <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update

Vendor Hostinger
Product Hostinger Reach – AI-Powered Email Marketing for WordPress
Weakness CWE-862 · Missing authorization
Published May 13, 2026
Last update May 13, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.

Explanation of Vulnerability in Simple Terms

02Summary

The Hostinger Reach plugin for WordPress contains an authorization flaw that allows authenticated users with low privileges to modify data they should not have access to. The vulnerability requires network access and some attack complexity, but does not require user interaction. No confidentiality or availability impact occurs, but integrity of data can be compromised.

What an attacker can do

03Attacker Capabilities

Modify or change data in the plugin that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Low-privilege users (subscribers, contributors) may alter plugin settings or data intended only for administrators.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account; network access required; some technical complexity involved.

Key dates

06Disclosure timeline

May 13, 2026 CVE published
May 13, 2026 Record updated