Hostinger Vulnerability – Missing Authorization to Maintenance Mode Activation – CVE-2023-6751 | WordPress Plugin Vulnerability Report
Plugin Name: Hostinger
Key Information:
- Software Type: Plugin
- Software Slug: hostinger
- Software Status: Active
- Software Author: hostinger
- Software Downloads: 1,609,570
- Active Installs: 1,000,000
- Last Updated: January 5, 2024
- Patched Versions: 1.9.8
- Affected Versions: <= 1.9.7
Vulnerability Details:
- Name: Hostinger <= 1.9.7 – Missing Authorization to Maintenance Mode Activation
- Title: Missing Authorization to Maintenance Mode Activation
- Type: Missing Authorization
- CVE: CVE-2023-6751
- CVSS Score: 7.3 (High)
- Publicly Published: January 5, 2024
- Researcher: Lucio Sá
- Description: The Hostinger plugin for WordPress is vulnerable to unauthorized plugin settings update due to a missing capability check on the function publish_website in all versions up to, and including, 1.9.7. This makes it possible for unauthenticated attackers to enable and disable maintenance mode.
Summary:
The Hostinger for WordPress has a vulnerability in versions up to and including 1.9.7 that allows unauthenticated attackers to enable and disable maintenance mode. This vulnerability has been patched in version 1.9.8.
Detailed Overview:
The Hostinger plugin did not properly check for user capabilities before allowing changes to the maintenance mode setting. This means anyone could make requests to the publish_website function and activate or deactivate maintenance mode without needing to authenticate. This could allow attackers to lock site owners out of their own sites or cause denial of service. The vulnerability is fixed in version 1.9.8 with the addition of a capability check.
Advice for Users:
- Immediate Action: Update to Hostinger version 1.9.8 as soon as possible.
- Check for Signs of Compromise: Review your site’s maintenance mode setting and logs for any unauthorized changes.
- Alternate Plugins: Consider alternative hosting plugins like WP Engine or Kinsta as a precaution.
- Stay Updated: Enable automatic updates for plugins to get security fixes as they are released.
Conclusion:
Hostinger responded quickly with a patch to prevent unauthorized access to the maintenance mode. Users should update as soon as possible to Hostinger 1.9.8 or newer to secure their WordPress sites.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hostinger
Detailed Report:
WordPress powers over 40% of all websites, making it an attractive target for hackers seeking vulnerabilities to exploit. Unfortunately, a serious security flaw was recently discovered in versions of the popular Hostinger hosting plugin up to and including 1.9.7. This vulnerability allows an attacker to enable or disable maintenance mode without authentication, potentially locking you out of your own website! Given the broad installation base of over 1 million active sites, users need to take action now to update Hostinger and secure their WordPress sites.
About the Hostinger Plugin
The Hostinger plugin is a popular hosting management plugin with over 1.6 million downloads. It is actively maintained and updated by Hostinger to provide easy management of Hostinger hosting services from within the WordPress dashboard.
Details of the Vulnerability
Specifically, a missing capability check in the publish_website function allows unauthenticated users to access and modify the maintenance mode setting. The vulnerability is categorized as CVE-2023-6751 and has a relatively high CVSS severity score of 7.3 out of 10.
Impacts of This Vulnerability
If exploited, this flaw allows anyone to enable maintenance mode on vulnerable sites. This could effectively lock site owners out of their own admin dashboards and websites. Attackers could also use it to cause denial of service outages. Over 1 million active sites are potentially at risk until they update to the patched release.
How to Update and Remediate
The good news is that Hostinger has already issued a patched update that addresses this vulnerability in version 1.9.8. So updating the plugin is as simple as:
- Logging into your WordPress dashboard
- Navigating to Plugins > Installed Plugins
- Clicking “Update” on the Hostinger plugin
If you have concerns about whether your site was compromised, you can also check your maintenance mode logs for unauthorized changes.
Avoiding Future Vulnerabilities
As a business owner, you don’t have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We’ll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site’s security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.
Hostinger Vulnerability – Missing Authorization to Maintenance Mode Activation – CVE-2023-6751 | WordPress Plugin Vulnerability Report FAQs
What exactly is the Hostinger plugin?
What exactly is the Hostinger plugin?
The Hostinger plugin allows WordPress site owners to manage their Hostinger web hosting account from within their WordPress admin dashboard. It streamlines tasks like clearing the cache, enabling staging sites, and more without needing to log in separately to Hostinger. The plugin has over 1.6 million downloads and 1 million active installs.
How serious is this vulnerability?
How serious is this vulnerability?
The vulnerability, labeled as CVE-2023-6751, has a CVSS severity score of 7.3 out of 10, putting it in the “high severity” range. A missing capability check allows any unauthenticated user to modify the maintenance mode setting on vulnerable websites. Attackers could exploit it to lock site owners out of their dashboards or cause denial of service outages. So it gives significant control to potential hackers with serious implications.
Could my site be at risk?
Could my site be at risk?
If you have the Hostinger plugin installed in a version prior to 1.9.8, then yes your site is vulnerable. You can log into your WordPress dashboard and check Plugins > Installed Plugins to verify what version is running. Any site still running 1.9.7 or earlier needs to urgently update. Given over 1 million active vulnerable installations, this is quite widespread.
How can I tell if hackers compromised my site already?
How can I tell if hackers compromised my site already?
First, update to Hostinger 1.9.8 or higher immediately. After that is done, you can dig into your maintenance mode logs for any unauthorized entries where the status was changed without your action. If you see something suspicious there or notice your site was down at odd times, you may have already fallen victim and should take further steps to fully audit for malware or backdoors.
What damage can hackers do through this vulnerability?
What damage can hackers do through this vulnerability?
The main risks are from locking site owners out by enabling maintenance mode without authorization. Attackers can exploit this to hold sites hostage for ransom demands. They may also use it to simply cause denial of service outages and website downtime by arbitrarily toggling maintenance mode on and off. If they can lock you out fully, they could then leverage that access to install backdoors, malware, steal data, and more.
How exactly was this vulnerability patched?
How exactly was this vulnerability patched?
In version 1.9.8, Hostinger added proper authentication checks before allowing changes to the maintenance mode setting. Now users must have proper WordPress role capabilities before toggling maintenance mode on or off. This blocks the unauthorized access. Plugin users just need to update to the latest patched release.
Is updating the only thing I need to do to stay safe?
Is updating the only thing I need to do to stay safe?
Updating to close this specific vulnerability is critical. However, good overall WordPress security requires an ongoing commitment. Enable automatic background updates on plugins and the WordPress core whenever possible. Also consider locking down access, limiting plugins, conducting frequent malware scans, and establishing recovery backups. Strong passwords and multi-factor authentication for all admin logins are advised too.
What if I can’t update right away? Are there any temporary fixes?
What if I can’t update right away? Are there any temporary fixes?
There are not great shortcuts if you are still running a vulnerable release. Separate plugins to more strictly control user capabilities and permissions could block unauthorized configuration changes however. Disabling the plugin itself also closes the issue but means losing Hostinger management functionality. We’d advise backing up your site immediately if an urgent update is not viable.
Are there any signs I may have outdated or vulnerable plugins?
Are there any signs I may have outdated or vulnerable plugins?
Beyond Hostinger specifically, any out-of-date plugins pose risks. Hacking efforts frequently target plugins over a year old missing the latest security fixes. Signs of outdated extensions include functionality breaks, styling issues, or errors mentioning unsupported integration or PHP versions. Staying on top of notifications and WordPress alerts about outdated plugins takes time but is key to identifying potential holes.
What core WordPress security best practices should I follow?
What core WordPress security best practices should I follow?
Hardening WordPress security is a layered, ongoing process but a few core tenets to follow include: regular core, plugins and themes updates to fix vulnerabilities quickly; limiting plugins only to trusted extensions necessary for your site’s functionality; configuring strong passwords, multi-factor authentication and role-based access controls for all admin users; performing malware scans particularly after noticing odd behaviors or errors; and establishing automatic backups to aid recovery processes if an attack still occurs.