Cross-Site Request Forgery in InstaWP Connect Plugin for WordPress
CVE-2024-13913

8.8HIGH

Key Information:

Vendor: WordPress
Status: InstaWP Connect – 1-click WP Staging & Migration
Vendor: CVE Published:; 14 March 2025

What is CVE-2024-13913?

The InstaWP Connect plugin, used for 1-click WordPress staging and migration, contains a susceptibility to Cross-Site Request Forgery due to inadequate nonce validation in the '/migrate/templates/main.php' file. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server. Exploiting this flaw could allow the execution of any PHP code contained in the files, potentially leading to unauthorized access, sensitive data retrieval, and code execution by exploiting upload functionalities that may permit seemingly 'safe' file types.

Affected Version(s)

InstaWP Connect – 1-click WP Staging & Migration * <= 0.1.0.83

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/instawp-connec...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 14, 2025
Vulnerability Reserved
Feb 28, 2025

Credit

Bassem Essam