CVE-2023-6751

HIGH

Hostinger < 1.9.7 - Unauthenticated Plugin Settings Update via publish_website Function

Title source: llm
STIX 2.1

Description

The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publish_website in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode.

Scores

CVSS v3 7.3
EPSS 0.0045
EPSS Percentile 36.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
hostinger/hostinger < 1.9.7
hostinger/Hostinger Tools < 1.9.7
Published Jan 11, 2024
Tracked Since Feb 18, 2026