cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forinstawp-connect instawp-connect

Direction: ascending
Jun 07, 2024

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-22145

CVE, Research URL

CVE-2024-22145

Date
May 17, 2024
Research Description
Improper Privilege Management vulnerability in InstaWP Team InstaWP Connect allows Privilege Escalation.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
Affected versions
Min -, max -.
Status
vulnerable

InstaWP Connect – 1-click WP Staging & Migration # CVE-2023-3956

CVE, Research URL

CVE-2023-3956

Date
Jul 27, 2023
Research Description
The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user.
Affected versions
Min -, max -.
Status
vulnerable

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-23506

CVE, Research URL

CVE-2024-23506

Date
Jan 27, 2024
Research Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
Affected versions
Min -, max -.
Status
vulnerable

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-25918

CVE, Research URL

CVE-2024-25918

Date
Apr 03, 2024
Research Description
Unrestricted Upload of File with Dangerous Type vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.8.
Affected versions
Min -, max -.
Status
vulnerable

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-23507

CVE, Research URL

CVE-2024-23507

Date
Jan 31, 2024
Research Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.
Affected versions
Min -, max -.
Status
vulnerable

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-2667

CVE, Research URL

CVE-2024-2667

Date
May 02, 2024
Research Description
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation in the /wp-json/instawp-connect/v1/config REST API endpoint in all versions up to, and including, 0.1.0.22. This makes it possible for unauthenticated attackers to upload arbitrary files.
Affected versions
Min -, max -.
Status
vulnerable

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-32701

CVE, Research URL

CVE-2024-32701

Date
Jun 09, 2024
Research Description
Missing Authorization vulnerability in InstaWP Team InstaWP Connect.This issue affects InstaWP Connect: from n/a through 0.1.0.24.
Affected versions
Min -, max -.
Status
vulnerable
Jun 13, 2024

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-4898

CVE, Research URL

CVE-2024-4898

Date
Jun 12, 2024
Research Description
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site to InstaWP API, edit arbitrary site options and create administrator accounts.
Affected versions
Min -, max -.
Status
vulnerable
Jun 25, 2024

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-37228

CVE, Research URL

CVE-2024-37228

Date
Jun 24, 2024
Research Description
Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38.
Affected versions
Min -, max -.
Status
vulnerable
Jul 12, 2024

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-6397

CVE, Research URL

CVE-2024-6397

Date
Jul 11, 2024
Research Description
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1.0.44. This is due to insufficient verification of the API key. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username, and to perform a variety of other administrative tasks. NOTE: This vulnerability was partially fixed in 0.1.0.44, but was still exploitable via Cross-Site Request Forgery.
Affected versions
Min -, max -.
Status
vulnerable
Mar 15, 2025

InstaWP Connect – 1-click WP Staging & Migration # CVE-2024-13913

CVE, Research URL

CVE-2024-13913

Date
Mar 14, 2025
Research Description
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. This is due to missing or incorrect nonce validation in the '/migrate/templates/main.php' file. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Affected versions
Min -, max -.
Status
vulnerable