WordPress Plugin Vulnerabilities

Hostinger < 1.9.8 - Unauthenticated Maintenance Mode Toggle

Description

The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publish_website in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode.

Affects Plugins

Plugin icon
hostinger
Fixed in 1.9.8

References

CVE
CVE-2023-6751
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d89cf759-5e5f-43e2-90a9-a8e554653ee1

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
f8bcc46d-054f-4246-ae98-73f18d02c172

Timeline

Publicly Published
2024-01-05 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-05 (about 2 years ago)

Other

Published
Title
Published
2024-11-18
Title
Google for WooCommerce < 2.8.7 - Information Disclosure via Publicly Accessible PHP Info File
Published
2025-11-04
Title
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction < 2.16.5 - Missing Authorization to Unauthenticated Arbitrary Member Subscription Auto Renewal
Published
2024-12-17
Title
WPLMS < 1.9.9.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-11-28
Title
Sermon Manager <= 2.30.0 - Missing Authorization
Published
2025-11-07
Title
Contact Form 7 AWeber Extension < 0.1.43 - Missing Authorization to Authenticated (Subscriber+) Log Reset