Question 1

What exactly is the Hostinger plugin?

Accepted Answer

What exactly is the Hostinger plugin?

The Hostinger plugin allows WordPress site owners to manage their Hostinger web hosting account from within their WordPress admin dashboard. It streamlines tasks like clearing the cache, enabling staging sites, and more without needing to log in separately to Hostinger. The plugin has over 1.6 million downloads and 1 million active installs.

Question 2

How serious is this vulnerability?

Accepted Answer

How serious is this vulnerability?

The vulnerability, labeled as CVE-2023-6751, has a CVSS severity score of 7.3 out of 10, putting it in the "high severity" range. A missing capability check allows any unauthenticated user to modify the maintenance mode setting on vulnerable websites. Attackers could exploit it to lock site owners out of their dashboards or cause denial of service outages. So it gives significant control to potential hackers with serious implications.

Question 3

Could my site be at risk?

Accepted Answer

Could my site be at risk?

If you have the Hostinger plugin installed in a version prior to 1.9.8, then yes your site is vulnerable. You can log into your WordPress dashboard and check Plugins > Installed Plugins to verify what version is running. Any site still running 1.9.7 or earlier needs to urgently update. Given over 1 million active vulnerable installations, this is quite widespread.

Question 4

How can I tell if hackers compromised my site already?

Accepted Answer

How can I tell if hackers compromised my site already?

First, update to Hostinger 1.9.8 or higher immediately. After that is done, you can dig into your maintenance mode logs for any unauthorized entries where the status was changed without your action. If you see something suspicious there or notice your site was down at odd times, you may have already fallen victim and should take further steps to fully audit for malware or backdoors.

Question 5

What damage can hackers do through this vulnerability?

Accepted Answer

What damage can hackers do through this vulnerability?

The main risks are from locking site owners out by enabling maintenance mode without authorization. Attackers can exploit this to hold sites hostage for ransom demands. They may also use it to simply cause denial of service outages and website downtime by arbitrarily toggling maintenance mode on and off. If they can lock you out fully, they could then leverage that access to install backdoors, malware, steal data, and more.

Question 6

How exactly was this vulnerability patched?

Accepted Answer

How exactly was this vulnerability patched?

In version 1.9.8, Hostinger added proper authentication checks before allowing changes to the maintenance mode setting. Now users must have proper WordPress role capabilities before toggling maintenance mode on or off. This blocks the unauthorized access. Plugin users just need to update to the latest patched release.

Question 7

Is updating the only thing I need to do to stay safe?

Accepted Answer

Is updating the only thing I need to do to stay safe?

Updating to close this specific vulnerability is critical. However, good overall WordPress security requires an ongoing commitment. Enable automatic background updates on plugins and the WordPress core whenever possible. Also consider locking down access, limiting plugins, conducting frequent malware scans, and establishing recovery backups. Strong passwords and multi-factor authentication for all admin logins are advised too.

Question 8

What if I can’t update right away? Are there any temporary fixes?

Accepted Answer

What if I can’t update right away? Are there any temporary fixes?

There are not great shortcuts if you are still running a vulnerable release. Separate plugins to more strictly control user capabilities and permissions could block unauthorized configuration changes however. Disabling the plugin itself also closes the issue but means losing Hostinger management functionality. We'd advise backing up your site immediately if an urgent update is not viable.

Question 9

Are there any signs I may have outdated or vulnerable plugins?

Accepted Answer

Are there any signs I may have outdated or vulnerable plugins?

Beyond Hostinger specifically, any out-of-date plugins pose risks. Hacking efforts frequently target plugins over a year old missing the latest security fixes. Signs of outdated extensions include functionality breaks, styling issues, or errors mentioning unsupported integration or PHP versions. Staying on top of notifications and WordPress alerts about outdated plugins takes time but is key to identifying potential holes.

Question 10

What core WordPress security best practices should I follow?

Accepted Answer

What core WordPress security best practices should I follow?

Hardening WordPress security is a layered, ongoing process but a few core tenets to follow include: regular core, plugins and themes updates to fix vulnerabilities quickly; limiting plugins only to trusted extensions necessary for your site’s functionality; configuring strong passwords, multi-factor authentication and role-based access controls for all admin users; performing malware scans particularly after noticing odd behaviors or errors; and establishing automatic backups to aid recovery processes if an attack still occurs.

maintenance mode

Hostinger Vulnerability – Missing Authorization to Maintenance Mode Activation – CVE-2023-6751 | WordPress Plugin Vulnerability Report

LightStart Vulnerability – Maintenance Mode, Coming Soon and Landing Page Builder – Missing Authorization – CVE-2023-7019| WordPress Plugin Vulnerability Report

Recent Blog Posts

LiteSpeed Cache Vulnerability – Unauthenticated Sensitive Information Exposure via Log Files – CVE-2024-44000 | WordPress Plugin Vulnerability Report

Elementor Addon Elements Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Parameters – CVE-2024-4401, CVE-2024-7122 | WordPress Plugin Vulnerability Report

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid Vulnerability – Authenticated (Contributor+) Information Disclosure – CVE-2024-7418 | WordPress Plugin Vulnerability Report

Additional Resources

About Your WP Guy