CVE-2026-2515: Data Modification in Hostinger Reach WordPress Plugin
Platform
wordpress
Component
hostinger-reach
Fixed in
1.3.9
CVE-2026-2515 affects the Hostinger Reach – AI-Powered Email Marketing for WordPress plugin, a WordPress plugin designed to enhance email marketing capabilities. This vulnerability allows authenticated attackers, even those with Subscriber-level access, to modify the plugin's API key. The issue stems from a missing capability check, enabling unauthorized data manipulation. Affected versions include 1.0.0 through 1.3.8, with a fix available in version 1.3.9.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The primary impact of CVE-2026-2515 is the potential for unauthorized modification of the API key used by the Hostinger Reach plugin. An attacker with Subscriber access can exploit this flaw to update the API key stored in the database. This could lead to compromised email marketing campaigns, unauthorized access to email lists, and potentially, the injection of malicious content into outgoing emails. The vulnerability is specifically exploitable when the plugin is not connected to a site and no API key exists, making it a targeted attack vector. While the impact is limited to data modification, it can still cause significant disruption and reputational damage.
Exploitation Context
CVE-2026-2515 was published on May 13, 2026. Its severity is rated as Medium (CVSS 5.3). No public proof-of-concept (POC) code is currently available. There are no indications of active exploitation campaigns targeting this vulnerability at the time of publication. The vulnerability is not listed on CISA Known Exploited Vulnerabilities (KEV) catalog, and the EPSS score is pending evaluation.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The recommended mitigation for CVE-2026-2515 is to immediately upgrade the Hostinger Reach plugin to version 1.3.9 or later. If upgrading is not feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin until a compatible version can be deployed. While a direct workaround isn't available, closely monitor database activity for any unauthorized changes to the API key. Implement stricter user access controls within WordPress to limit the privileges granted to Subscriber-level users. After upgrading, confirm the fix by verifying that Subscriber-level users are unable to modify the API key via the 'hostingerreachconnectionnoticeaction' action.
How to fix
Update to version 1.3.9, or a newer patched version
Frequently asked questions
What is CVE-2026-2515 — Data Modification in Hostinger Reach WordPress Plugin?
CVE-2026-2515 is a medium-severity vulnerability in the Hostinger Reach WordPress plugin allowing authenticated subscribers to modify the API key, potentially compromising email marketing data. It affects versions 1.0.0 through 1.3.8.
Am I affected by CVE-2026-2515 in Hostinger Reach WordPress Plugin?
You are affected if you are using Hostinger Reach WordPress plugin versions 1.0.0 to 1.3.8. Check your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-2515 in Hostinger Reach WordPress Plugin?
Upgrade the Hostinger Reach plugin to version 1.3.9 or later to resolve this vulnerability. If upgrading is not possible, temporarily disable the plugin and monitor database activity.
Is CVE-2026-2515 being actively exploited?
There are currently no indications of active exploitation campaigns targeting CVE-2026-2515, but it's crucial to apply the fix promptly to prevent potential future attacks.
Where can I find the official Hostinger Reach advisory for CVE-2026-2515?
Refer to the official Hostinger Reach plugin documentation and support channels for the latest advisory and updates regarding CVE-2026-2515: https://hostinger.com/reach
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...