Hostinger Reach WordPress Plugin Missing Authorization Vulnerability in Connection Notice Action

A vulnerability exists in the Hostinger Reach WordPress plugin, specifically in versions through 1.3.8. The issue arises from a lack of proper capability checks in the 'handle_ajax_action' function, allowing authenticated attackers with Subscriber-level access or higher to unauthorizedly modify data. Exploitation involves using the 'hostinger_reach_connection_notice_action' to change the API key value in the database. This vulnerability is only exploitable when the plugin is not connected to a site and the database does not already contain an API key.

Impact

Exploitation of this vulnerability allows for unauthorized modification of the API key value in the database, potentially disrupting the integration with the Hostinger Reach service.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a POST request to the 'wp_ajax_hostinger_reach_connection_notice_action' endpoint via the admin-ajax.php file. The request must include a 'nonce' parameter for verification and a 'choice' parameter set to 'connect' to trigger the API key update action. This can be done using a custom script or a tool like Postman, ensuring that the WordPress site is using an affected version of the Hostinger Reach plugin and that no API key is currently set in the database.

Remediation

Users are advised to update the Hostinger Reach WordPress plugin to version 1.3.9 or later, where this vulnerability has been patched.