CVE-2026-2515 - Hostinger Reach <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update
CVE ID :CVE-2026-2515
Published : May 13, 2026, 8:26 a.m. | 2 hours, 39 minutes ago
Description :The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : May 13, 2026, 8:26 a.m. | 2 hours, 39 minutes ago
Description :The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...