Vulnerabilities and security researches forinstawp-connect instawp-connect
Direction: ascendingJun 07, 2024
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-22145
- CVE, Research URL
- Date
- May 17, 2024
- Research Description
- Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
InstaWP Connect – 1-click WP Staging & Migration # CVE-2023-3956
- CVE, Research URL
- Date
- Jul 27, 2023
- Research Description
- The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-23506
- CVE, Research URL
- Date
- Jan 27, 2024
- Research Description
- Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-25918
- CVE, Research URL
- Date
- Apr 03, 2024
- Research Description
- Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-23507
- CVE, Research URL
- Date
- Jan 31, 2024
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-2667
- CVE, Research URL
- Date
- May 02, 2024
- Research Description
- The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-32701
- CVE, Research URL
- Date
- Jun 09, 2024
- Research Description
- Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 13, 2024
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-4898
- CVE, Research URL
- Date
- Jun 12, 2024
- Research Description
- The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 25, 2024
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-37228
- CVE, Research URL
- Date
- Jun 24, 2024
- Research Description
- Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jul 12, 2024
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-6397
- CVE, Research URL
- Date
- Jul 11, 2024
- Research Description
- The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Mar 15, 2025
InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-13913
- CVE, Research URL
- Date
- Mar 14, 2025
- Research Description
- The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable