CVE-2026-2515 - Vulnerability Details

The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/hostinger-reach/trunk/src/Admin/Notices/ConnectionNotice.php#L44
https://plugins.trac.wordpress.org/browser/hostinger-reach/trunk/src/Api/Routes/ReachRoutes.php#L86
https://plugins.trac.wordpress.org/changeset/3473571/
https://www.wordfence.com/threat-intel/vulnerabilities/id/8d0fef4d-2c0e-486e-8a55-1c7230636a5c?source=cve

History

Wed, 13 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to use the 'hostinger_reach_connection_notice_action' action to update the API key value stored in the database. This vulnerability can only be exploited when the plugin is not connected to a site and no API key value exists in the database.
Title		Hostinger Reach <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/hostinger-reach/trunk/src/Admin/Notices/ConnectionNotice.php#L44 https://plugins.trac.wordpress.org/browser/hostinger-reach/trunk/src/Api/Routes/ReachRoutes.php#L86 https://plugins.trac.wordpress.org/changeset/3473571/ https://www.wordfence.com/threat-intel/vulnerabilities/id/8d0fef4d-2c0e-486e-8a55-1c7230636a5c?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-13T08:26:35.712Z

Updated: 2026-05-13T08:26:35.712Z

Reserved: 2026-02-14T19:14:40.183Z

Link: CVE-2026-2515

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object